OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | 4 |
5 /* | 5 /* |
6 * Implementation of OCSP services, for both client and server. | 6 * Implementation of OCSP services, for both client and server. |
7 * (XXX, really, mostly just for client right now, but intended to do both.) | 7 * (XXX, really, mostly just for client right now, but intended to do both.) |
8 */ | 8 */ |
9 | 9 |
10 #include "prerror.h" | 10 #include "prerror.h" |
(...skipping 15 matching lines...) Expand all Loading... |
26 #include "sechash.h" | 26 #include "sechash.h" |
27 #include "secasn1.h" | 27 #include "secasn1.h" |
28 #include "plbase64.h" | 28 #include "plbase64.h" |
29 #include "keyhi.h" | 29 #include "keyhi.h" |
30 #include "cryptohi.h" | 30 #include "cryptohi.h" |
31 #include "ocsp.h" | 31 #include "ocsp.h" |
32 #include "ocspti.h" | 32 #include "ocspti.h" |
33 #include "ocspi.h" | 33 #include "ocspi.h" |
34 #include "genname.h" | 34 #include "genname.h" |
35 #include "certxutl.h" | 35 #include "certxutl.h" |
36 #include "pk11func.h"» /* for PK11_HashBuf */ | 36 #include "pk11func.h" /* for PK11_HashBuf */ |
37 #include <stdarg.h> | 37 #include <stdarg.h> |
38 #include <plhash.h> | 38 #include <plhash.h> |
39 | 39 |
40 #define DEFAULT_OCSP_CACHE_SIZE 1000 | 40 #define DEFAULT_OCSP_CACHE_SIZE 1000 |
41 #define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1*60*60L | 41 #define DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 1 * 60 * 60L |
42 #define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24*60*60L | 42 #define DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT 24 * 60 * 60L |
43 #define DEFAULT_OSCP_TIMEOUT_SECONDS 60 | 43 #define DEFAULT_OSCP_TIMEOUT_SECONDS 60 |
44 #define MICROSECONDS_PER_SECOND 1000000L | 44 #define MICROSECONDS_PER_SECOND 1000000L |
45 | 45 |
46 typedef struct OCSPCacheItemStr OCSPCacheItem; | 46 typedef struct OCSPCacheItemStr OCSPCacheItem; |
47 typedef struct OCSPCacheDataStr OCSPCacheData; | 47 typedef struct OCSPCacheDataStr OCSPCacheData; |
48 | 48 |
49 struct OCSPCacheItemStr { | 49 struct OCSPCacheItemStr { |
50 /* LRU linking */ | 50 /* LRU linking */ |
51 OCSPCacheItem *moreRecent; | 51 OCSPCacheItem *moreRecent; |
52 OCSPCacheItem *lessRecent; | 52 OCSPCacheItem *lessRecent; |
53 | 53 |
54 /* key */ | 54 /* key */ |
55 CERTOCSPCertID *certID; | 55 CERTOCSPCertID *certID; |
56 /* CertID's arena also used to allocate "this" cache item */ | 56 /* CertID's arena also used to allocate "this" cache item */ |
57 | 57 |
58 /* cache control information */ | 58 /* cache control information */ |
59 PRTime nextFetchAttemptTime; | 59 PRTime nextFetchAttemptTime; |
60 | 60 |
61 /* Cached contents. Use a separate arena, because lifetime is different */ | 61 /* Cached contents. Use a separate arena, because lifetime is different */ |
62 PLArenaPool *certStatusArena; /* NULL means: no cert status cached */ | 62 PLArenaPool *certStatusArena; /* NULL means: no cert status cached */ |
63 ocspCertStatus certStatus; | 63 ocspCertStatus certStatus; |
64 | 64 |
65 /* This may contain an error code when no OCSP response is available. */ | 65 /* This may contain an error code when no OCSP response is available. */ |
66 SECErrorCodes missingResponseError; | 66 SECErrorCodes missingResponseError; |
67 | 67 |
68 PRPackedBool haveThisUpdate; | 68 PRPackedBool haveThisUpdate; |
69 PRPackedBool haveNextUpdate; | 69 PRPackedBool haveNextUpdate; |
70 PRTime thisUpdate; | 70 PRTime thisUpdate; |
71 PRTime nextUpdate; | 71 PRTime nextUpdate; |
72 }; | 72 }; |
73 | 73 |
74 struct OCSPCacheDataStr { | 74 struct OCSPCacheDataStr { |
75 PLHashTable *entries; | 75 PLHashTable *entries; |
76 PRUint32 numberOfEntries; | 76 PRUint32 numberOfEntries; |
77 OCSPCacheItem *MRUitem; /* most recently used cache item */ | 77 OCSPCacheItem *MRUitem; /* most recently used cache item */ |
78 OCSPCacheItem *LRUitem; /* least recently used cache item */ | 78 OCSPCacheItem *LRUitem; /* least recently used cache item */ |
79 }; | 79 }; |
80 | 80 |
81 static struct OCSPGlobalStruct { | 81 static struct OCSPGlobalStruct { |
82 PRMonitor *monitor; | 82 PRMonitor *monitor; |
83 const SEC_HttpClientFcn *defaultHttpClientFcn; | 83 const SEC_HttpClientFcn *defaultHttpClientFcn; |
84 PRInt32 maxCacheEntries; | 84 PRInt32 maxCacheEntries; |
85 PRUint32 minimumSecondsToNextFetchAttempt; | 85 PRUint32 minimumSecondsToNextFetchAttempt; |
86 PRUint32 maximumSecondsToNextFetchAttempt; | 86 PRUint32 maximumSecondsToNextFetchAttempt; |
87 PRUint32 timeoutSeconds; | 87 PRUint32 timeoutSeconds; |
88 OCSPCacheData cache; | 88 OCSPCacheData cache; |
89 SEC_OcspFailureMode ocspFailureMode; | 89 SEC_OcspFailureMode ocspFailureMode; |
90 CERT_StringFromCertFcn alternateOCSPAIAFcn; | 90 CERT_StringFromCertFcn alternateOCSPAIAFcn; |
91 PRBool forcePost; | 91 PRBool forcePost; |
92 } OCSP_Global = { NULL,· | 92 } OCSP_Global = {NULL, |
93 NULL,· | 93 NULL, |
94 DEFAULT_OCSP_CACHE_SIZE,· | 94 DEFAULT_OCSP_CACHE_SIZE, |
95 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, | 95 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, |
96 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, | 96 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT, |
97 DEFAULT_OSCP_TIMEOUT_SECONDS, | 97 DEFAULT_OSCP_TIMEOUT_SECONDS, |
98 {NULL, 0, NULL, NULL}, | 98 {NULL, 0, NULL, NULL}, |
99 ocspMode_FailureIsVerificationFailure, | 99 ocspMode_FailureIsVerificationFailure, |
100 NULL, | 100 NULL, |
101 PR_FALSE | 101 PR_FALSE}; |
102 }; | |
103 | |
104 | |
105 | 102 |
106 /* Forward declarations */ | 103 /* Forward declarations */ |
107 static SECItem * | 104 static SECItem *ocsp_GetEncodedOCSPResponseFromRequest( |
108 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena,· | 105 PLArenaPool *arena, CERTOCSPRequest *request, const char *location, |
109 CERTOCSPRequest *request, | 106 const char *method, PRTime time, PRBool addServiceLocator, void *pwArg, |
110 const char *location, | 107 CERTOCSPRequest **pRequest); |
111 » » » » const char *method, | 108 static SECStatus ocsp_GetOCSPStatusFromNetwork( |
112 » » » » PRTime time, | 109 CERTCertDBHandle *handle, CERTOCSPCertID *certID, CERTCertificate *cert, |
113 PRBool addServiceLocator, | 110 PRTime time, void *pwArg, PRBool *certIDWasConsumed, SECStatus *rv_ocsp); |
114 void *pwArg, | 111 |
115 CERTOCSPRequest **pRequest); | 112 static SECStatus ocsp_GetDecodedVerifiedSingleResponseForID( |
116 static SECStatus | 113 CERTCertDBHandle *handle, CERTOCSPCertID *certID, CERTCertificate *cert, |
117 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,· | 114 PRTime time, void *pwArg, const SECItem *encodedResponse, |
118 CERTOCSPCertID *certID,· | 115 CERTOCSPResponse **pDecodedResponse, CERTOCSPSingleResponse **pSingle); |
119 CERTCertificate *cert,· | 116 |
120 PRTime time,· | 117 static SECStatus ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, |
121 void *pwArg, | 118 PRTime time); |
122 PRBool *certIDWasConsumed, | 119 |
123 SECStatus *rv_ocsp); | 120 static CERTOCSPCertID *cert_DupOCSPCertID(const CERTOCSPCertID *src); |
124 | |
125 static SECStatus | |
126 ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, | |
127 » » » » » CERTOCSPCertID *certID, | |
128 » » » » » CERTCertificate *cert, | |
129 » » » » » PRTime time, | |
130 » » » » » void *pwArg, | |
131 » » » » » const SECItem *encodedResponse, | |
132 » » » » » CERTOCSPResponse **pDecodedResponse, | |
133 » » » » » CERTOCSPSingleResponse **pSingle); | |
134 | |
135 static SECStatus | |
136 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time); | |
137 | |
138 static CERTOCSPCertID * | |
139 cert_DupOCSPCertID(const CERTOCSPCertID *src); | |
140 | 121 |
141 #ifndef DEBUG | 122 #ifndef DEBUG |
142 #define OCSP_TRACE(msg) | 123 #define OCSP_TRACE(msg) |
143 #define OCSP_TRACE_TIME(msg, time) | 124 #define OCSP_TRACE_TIME(msg, time) |
144 #define OCSP_TRACE_CERT(cert) | 125 #define OCSP_TRACE_CERT(cert) |
145 #define OCSP_TRACE_CERTID(certid) | 126 #define OCSP_TRACE_CERTID(certid) |
146 #else | 127 #else |
147 #define OCSP_TRACE(msg) ocsp_Trace msg | 128 #define OCSP_TRACE(msg) ocsp_Trace msg |
148 #define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time) | 129 #define OCSP_TRACE_TIME(msg, time) ocsp_dumpStringWithTime(msg, time) |
149 #define OCSP_TRACE_CERT(cert) dumpCertificate(cert) | 130 #define OCSP_TRACE_CERT(cert) dumpCertificate(cert) |
150 #define OCSP_TRACE_CERTID(certid) dumpCertID(certid) | 131 #define OCSP_TRACE_CERTID(certid) dumpCertID(certid) |
151 | 132 |
152 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) \ | 133 #if defined(XP_UNIX) || defined(XP_WIN32) || defined(XP_BEOS) || \ |
153 || defined(XP_MACOSX) | 134 defined(XP_MACOSX) |
154 #define NSS_HAVE_GETENV 1 | 135 #define NSS_HAVE_GETENV 1 |
155 #endif | 136 #endif |
156 | 137 |
157 static PRBool wantOcspTrace(void) | 138 static PRBool wantOcspTrace(void) { |
158 { | 139 static PRBool firstTime = PR_TRUE; |
159 static PRBool firstTime = PR_TRUE; | 140 static PRBool wantTrace = PR_FALSE; |
160 static PRBool wantTrace = PR_FALSE; | |
161 | 141 |
162 #ifdef NSS_HAVE_GETENV | 142 #ifdef NSS_HAVE_GETENV |
163 if (firstTime) { | 143 if (firstTime) { |
164 char *ev = getenv("NSS_TRACE_OCSP"); | 144 char *ev = getenv("NSS_TRACE_OCSP"); |
165 if (ev && ev[0]) { | 145 if (ev && ev[0]) { |
166 wantTrace = PR_TRUE; | 146 wantTrace = PR_TRUE; |
167 } | 147 } |
168 firstTime = PR_FALSE; | 148 firstTime = PR_FALSE; |
169 } | 149 } |
170 #endif | 150 #endif |
171 return wantTrace; | 151 return wantTrace; |
172 } | 152 } |
173 | 153 |
174 static void | 154 static void ocsp_Trace(const char *format, ...) { |
175 ocsp_Trace(const char *format, ...) | 155 char buf[2000]; |
176 { | 156 va_list args; |
177 char buf[2000]; | 157 |
178 va_list args; | 158 if (!wantOcspTrace()) return; |
179 ·· | 159 va_start(args, format); |
180 if (!wantOcspTrace()) | 160 PR_vsnprintf(buf, sizeof(buf), format, args); |
181 return; | 161 va_end(args); |
182 va_start(args, format); | 162 PR_LogPrint("%s", buf); |
183 PR_vsnprintf(buf, sizeof(buf), format, args); | 163 } |
184 va_end(args); | 164 |
185 PR_LogPrint("%s", buf); | 165 static void ocsp_dumpStringWithTime(const char *str, PRTime time) { |
186 } | 166 PRExplodedTime timePrintable; |
187 | 167 char timestr[256]; |
188 static void | 168 |
189 ocsp_dumpStringWithTime(const char *str, PRTime time) | 169 if (!wantOcspTrace()) return; |
190 { | 170 PR_ExplodeTime(time, PR_GMTParameters, &timePrintable); |
191 PRExplodedTime timePrintable; | 171 if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) { |
192 char timestr[256]; | 172 ocsp_Trace("OCSP %s %s\n", str, timestr); |
193 | 173 } |
194 if (!wantOcspTrace()) | 174 } |
195 return; | 175 |
196 PR_ExplodeTime(time, PR_GMTParameters, &timePrintable); | 176 static void printHexString(const char *prefix, SECItem *hexval) { |
197 if (PR_FormatTime(timestr, 256, "%a %b %d %H:%M:%S %Y", &timePrintable)) { | 177 unsigned int i; |
198 ocsp_Trace("OCSP %s %s\n", str, timestr); | 178 char *hexbuf = NULL; |
199 } | 179 |
200 } | 180 for (i = 0; i < hexval->len; i++) { |
201 | 181 if (i != hexval->len - 1) { |
202 static void | 182 hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); |
203 printHexString(const char *prefix, SECItem *hexval) | 183 } else { |
204 { | 184 hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); |
205 unsigned int i; | 185 } |
206 char *hexbuf = NULL; | 186 } |
207 | 187 if (hexbuf) { |
208 for (i = 0; i < hexval->len; i++) { | 188 ocsp_Trace("%s %s\n", prefix, hexbuf); |
209 if (i != hexval->len - 1) { | 189 PR_smprintf_free(hexbuf); |
210 hexbuf = PR_sprintf_append(hexbuf, "%02x:", hexval->data[i]); | 190 } |
211 } else { | 191 } |
212 hexbuf = PR_sprintf_append(hexbuf, "%02x", hexval->data[i]); | 192 |
213 } | 193 static void dumpCertificate(CERTCertificate *cert) { |
214 } | 194 if (!wantOcspTrace()) return; |
215 if (hexbuf) { | 195 |
216 ocsp_Trace("%s %s\n", prefix, hexbuf); | 196 ocsp_Trace("OCSP ----------------\n"); |
217 PR_smprintf_free(hexbuf); | 197 ocsp_Trace("OCSP ## SUBJECT: %s\n", cert->subjectName); |
218 } | 198 { |
219 } | 199 PRTime timeBefore, timeAfter; |
220 | 200 PRExplodedTime beforePrintable, afterPrintable; |
221 static void | 201 char beforestr[256], afterstr[256]; |
222 dumpCertificate(CERTCertificate *cert) | 202 PRStatus rv1, rv2; |
223 { | 203 DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore); |
224 if (!wantOcspTrace()) | 204 DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter); |
225 return; | 205 PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable); |
226 | 206 PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable); |
227 ocsp_Trace("OCSP ----------------\n"); | 207 rv1 = |
228 ocsp_Trace("OCSP ## SUBJECT: %s\n", cert->subjectName); | 208 PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", &beforePrintable); |
229 { | 209 rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", &afterPrintable); |
230 PRTime timeBefore, timeAfter; | 210 ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "", |
231 PRExplodedTime beforePrintable, afterPrintable; | 211 rv2 ? afterstr : ""); |
232 char beforestr[256], afterstr[256]; | 212 } |
233 PRStatus rv1, rv2; | 213 ocsp_Trace("OCSP ## ISSUER: %s\n", cert->issuerName); |
234 DER_DecodeTimeChoice(&timeBefore, &cert->validity.notBefore); | 214 printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber); |
235 DER_DecodeTimeChoice(&timeAfter, &cert->validity.notAfter); | 215 } |
236 PR_ExplodeTime(timeBefore, PR_GMTParameters, &beforePrintable); | 216 |
237 PR_ExplodeTime(timeAfter, PR_GMTParameters, &afterPrintable); | 217 static void dumpCertID(CERTOCSPCertID *certID) { |
238 rv1 = PR_FormatTime(beforestr, 256, "%a %b %d %H:%M:%S %Y", | 218 if (!wantOcspTrace()) return; |
239 &beforePrintable); | 219 |
240 rv2 = PR_FormatTime(afterstr, 256, "%a %b %d %H:%M:%S %Y", | 220 printHexString("OCSP certID issuer", &certID->issuerNameHash); |
241 &afterPrintable); | 221 printHexString("OCSP certID serial", &certID->serialNumber); |
242 ocsp_Trace("OCSP ## VALIDITY: %s to %s\n", rv1 ? beforestr : "", | |
243 rv2 ? afterstr : ""); | |
244 } | |
245 ocsp_Trace("OCSP ## ISSUER: %s\n", cert->issuerName); | |
246 printHexString("OCSP ## SERIAL NUMBER:", &cert->serialNumber); | |
247 } | |
248 | |
249 static void | |
250 dumpCertID(CERTOCSPCertID *certID) | |
251 { | |
252 if (!wantOcspTrace()) | |
253 return; | |
254 | |
255 printHexString("OCSP certID issuer", &certID->issuerNameHash); | |
256 printHexString("OCSP certID serial", &certID->serialNumber); | |
257 } | 222 } |
258 #endif | 223 #endif |
259 | 224 |
260 SECStatus | 225 SECStatus SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable) { |
261 SEC_RegisterDefaultHttpClient(const SEC_HttpClientFcn *fcnTable) | 226 if (!OCSP_Global.monitor) { |
262 { | 227 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
263 if (!OCSP_Global.monitor) { | 228 return SECFailure; |
264 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 229 } |
265 return SECFailure; | 230 |
266 } | 231 PR_EnterMonitor(OCSP_Global.monitor); |
267 ···· | 232 OCSP_Global.defaultHttpClientFcn = fcnTable; |
268 PR_EnterMonitor(OCSP_Global.monitor); | 233 PR_ExitMonitor(OCSP_Global.monitor); |
269 OCSP_Global.defaultHttpClientFcn = fcnTable; | 234 |
270 PR_ExitMonitor(OCSP_Global.monitor); | 235 return SECSuccess; |
271 ···· | 236 } |
272 return SECSuccess; | 237 |
273 } | 238 SECStatus CERT_RegisterAlternateOCSPAIAInfoCallBack( |
274 | 239 CERT_StringFromCertFcn newCallback, CERT_StringFromCertFcn *oldCallback) { |
275 SECStatus | 240 CERT_StringFromCertFcn old; |
276 CERT_RegisterAlternateOCSPAIAInfoCallBack( | 241 |
277 » » » CERT_StringFromCertFcn newCallback, | 242 if (!OCSP_Global.monitor) { |
278 » » » CERT_StringFromCertFcn * oldCallback) | 243 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
279 { | 244 return SECFailure; |
280 CERT_StringFromCertFcn old; | 245 } |
281 | 246 |
282 if (!OCSP_Global.monitor) { | 247 PR_EnterMonitor(OCSP_Global.monitor); |
283 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 248 old = OCSP_Global.alternateOCSPAIAFcn; |
284 return SECFailure; | 249 OCSP_Global.alternateOCSPAIAFcn = newCallback; |
285 } | 250 PR_ExitMonitor(OCSP_Global.monitor); |
286 | 251 if (oldCallback) *oldCallback = old; |
287 PR_EnterMonitor(OCSP_Global.monitor); | 252 return SECSuccess; |
288 old = OCSP_Global.alternateOCSPAIAFcn; | 253 } |
289 OCSP_Global.alternateOCSPAIAFcn = newCallback; | 254 |
290 PR_ExitMonitor(OCSP_Global.monitor); | 255 static PLHashNumber PR_CALLBACK ocsp_CacheKeyHashFunction(const void *key) { |
291 if (oldCallback) | 256 CERTOCSPCertID *cid = (CERTOCSPCertID *)key; |
292 » *oldCallback = old; | 257 PLHashNumber hash = 0; |
293 return SECSuccess; | 258 unsigned int i; |
294 } | 259 unsigned char *walk; |
295 | 260 |
296 static PLHashNumber PR_CALLBACK | 261 /* a very simple hash calculation for the initial coding phase */ |
297 ocsp_CacheKeyHashFunction(const void *key) | 262 walk = (unsigned char *)cid->issuerNameHash.data; |
298 { | 263 for (i = 0; i < cid->issuerNameHash.len; ++i, ++walk) { |
299 CERTOCSPCertID *cid = (CERTOCSPCertID *)key; | 264 hash += *walk; |
300 PLHashNumber hash = 0; | 265 } |
301 unsigned int i; | 266 walk = (unsigned char *)cid->issuerKeyHash.data; |
302 unsigned char *walk; | 267 for (i = 0; i < cid->issuerKeyHash.len; ++i, ++walk) { |
303 ·· | 268 hash += *walk; |
304 /* a very simple hash calculation for the initial coding phase */ | 269 } |
305 walk = (unsigned char*)cid->issuerNameHash.data; | 270 walk = (unsigned char *)cid->serialNumber.data; |
306 for (i=0; i < cid->issuerNameHash.len; ++i, ++walk) { | 271 for (i = 0; i < cid->serialNumber.len; ++i, ++walk) { |
307 hash += *walk; | 272 hash += *walk; |
308 } | 273 } |
309 walk = (unsigned char*)cid->issuerKeyHash.data; | 274 return hash; |
310 for (i=0; i < cid->issuerKeyHash.len; ++i, ++walk) { | |
311 hash += *walk; | |
312 } | |
313 walk = (unsigned char*)cid->serialNumber.data; | |
314 for (i=0; i < cid->serialNumber.len; ++i, ++walk) { | |
315 hash += *walk; | |
316 } | |
317 return hash; | |
318 } | 275 } |
319 | 276 |
320 static PRIntn PR_CALLBACK | 277 static PRIntn PR_CALLBACK |
321 ocsp_CacheKeyCompareFunction(const void *v1, const void *v2) | 278 ocsp_CacheKeyCompareFunction(const void *v1, const void *v2) { |
322 { | 279 CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1; |
323 CERTOCSPCertID *cid1 = (CERTOCSPCertID *)v1; | 280 CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2; |
324 CERTOCSPCertID *cid2 = (CERTOCSPCertID *)v2; | 281 |
325 ·· | 282 return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash, |
326 return (SECEqual == SECITEM_CompareItem(&cid1->issuerNameHash,· | 283 &cid2->issuerNameHash) && |
327 &cid2->issuerNameHash) | 284 SECEqual == |
328 && SECEqual == SECITEM_CompareItem(&cid1->issuerKeyHash, | 285 SECITEM_CompareItem(&cid1->issuerKeyHash, &cid2->issuerKeyHash) && |
329 &cid2->issuerKeyHash) | 286 SECEqual == |
330 && SECEqual == SECITEM_CompareItem(&cid1->serialNumber, | 287 SECITEM_CompareItem(&cid1->serialNumber, &cid2->serialNumber)); |
331 &cid2->serialNumber)); | 288 } |
332 } | 289 |
333 | 290 static SECStatus ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest, |
334 static SECStatus | 291 ocspRevokedInfo *src) { |
335 ocsp_CopyRevokedInfo(PLArenaPool *arena, ocspCertStatus *dest, | 292 SECStatus rv = SECFailure; |
336 ocspRevokedInfo *src) | 293 void *mark; |
337 { | 294 |
338 SECStatus rv = SECFailure; | 295 mark = PORT_ArenaMark(arena); |
339 void *mark; | 296 |
340 ·· | 297 dest->certStatusInfo.revokedInfo = |
341 mark = PORT_ArenaMark(arena); | 298 (ocspRevokedInfo *)PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo)); |
342 ·· | 299 if (!dest->certStatusInfo.revokedInfo) { |
343 dest->certStatusInfo.revokedInfo =· | 300 goto loser; |
344 (ocspRevokedInfo *) PORT_ArenaZAlloc(arena, sizeof(ocspRevokedInfo)); | 301 } |
345 if (!dest->certStatusInfo.revokedInfo) { | 302 |
346 goto loser; | 303 rv = |
347 } | 304 SECITEM_CopyItem(arena, &dest->certStatusInfo.revokedInfo->revocationTime, |
348 ·· | 305 &src->revocationTime); |
349 rv = SECITEM_CopyItem(arena,· | 306 if (rv != SECSuccess) { |
350 &dest->certStatusInfo.revokedInfo->revocationTime,· | 307 goto loser; |
351 &src->revocationTime); | 308 } |
352 if (rv != SECSuccess) { | 309 |
353 goto loser; | 310 if (src->revocationReason) { |
354 } | 311 dest->certStatusInfo.revokedInfo->revocationReason = |
355 ·· | 312 SECITEM_ArenaDupItem(arena, src->revocationReason); |
356 if (src->revocationReason) { | 313 if (!dest->certStatusInfo.revokedInfo->revocationReason) { |
357 dest->certStatusInfo.revokedInfo->revocationReason =· | 314 goto loser; |
358 SECITEM_ArenaDupItem(arena, src->revocationReason); | 315 } |
359 if (!dest->certStatusInfo.revokedInfo->revocationReason) { | 316 } else { |
360 goto loser; | 317 dest->certStatusInfo.revokedInfo->revocationReason = NULL; |
361 } | 318 } |
362 } else { | 319 |
363 dest->certStatusInfo.revokedInfo->revocationReason = NULL; | 320 PORT_ArenaUnmark(arena, mark); |
364 } | 321 return SECSuccess; |
365 ·· | |
366 PORT_ArenaUnmark(arena, mark); | |
367 return SECSuccess; | |
368 | 322 |
369 loser: | 323 loser: |
370 PORT_ArenaRelease(arena, mark); | 324 PORT_ArenaRelease(arena, mark); |
371 return SECFailure; | 325 return SECFailure; |
372 } | 326 } |
373 | 327 |
374 static SECStatus | 328 static SECStatus ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest, |
375 ocsp_CopyCertStatus(PLArenaPool *arena, ocspCertStatus *dest, | 329 ocspCertStatus *src) { |
376 ocspCertStatus*src) | 330 SECStatus rv = SECFailure; |
377 { | 331 dest->certStatusType = src->certStatusType; |
378 SECStatus rv = SECFailure; | 332 |
379 dest->certStatusType = src->certStatusType; | 333 switch (src->certStatusType) { |
380 | |
381 switch (src->certStatusType) { | |
382 case ocspCertStatus_good: | 334 case ocspCertStatus_good: |
383 dest->certStatusInfo.goodInfo = | 335 dest->certStatusInfo.goodInfo = |
384 SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo); | 336 SECITEM_ArenaDupItem(arena, src->certStatusInfo.goodInfo); |
385 if (dest->certStatusInfo.goodInfo != NULL) { | 337 if (dest->certStatusInfo.goodInfo != NULL) { |
386 rv = SECSuccess; | 338 rv = SECSuccess; |
387 } | 339 } |
388 break; | 340 break; |
389 case ocspCertStatus_revoked: | 341 case ocspCertStatus_revoked: |
390 rv = ocsp_CopyRevokedInfo(arena, dest, | 342 rv = ocsp_CopyRevokedInfo(arena, dest, src->certStatusInfo.revokedInfo); |
391 src->certStatusInfo.revokedInfo); | 343 break; |
392 break; | |
393 case ocspCertStatus_unknown: | 344 case ocspCertStatus_unknown: |
394 dest->certStatusInfo.unknownInfo = | 345 dest->certStatusInfo.unknownInfo = |
395 SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo); | 346 SECITEM_ArenaDupItem(arena, src->certStatusInfo.unknownInfo); |
396 if (dest->certStatusInfo.unknownInfo != NULL) { | 347 if (dest->certStatusInfo.unknownInfo != NULL) { |
397 rv = SECSuccess; | 348 rv = SECSuccess; |
398 } | 349 } |
399 break; | 350 break; |
400 case ocspCertStatus_other: | 351 case ocspCertStatus_other: |
401 default: | 352 default: |
402 PORT_Assert(src->certStatusType == ocspCertStatus_other); | 353 PORT_Assert(src->certStatusType == ocspCertStatus_other); |
403 dest->certStatusInfo.otherInfo =· | 354 dest->certStatusInfo.otherInfo = |
404 SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo); | 355 SECITEM_ArenaDupItem(arena, src->certStatusInfo.otherInfo); |
405 if (dest->certStatusInfo.otherInfo != NULL) { | 356 if (dest->certStatusInfo.otherInfo != NULL) { |
406 rv = SECSuccess; | 357 rv = SECSuccess; |
407 } | 358 } |
408 break; | 359 break; |
409 } | 360 } |
410 return rv; | 361 return rv; |
411 } | 362 } |
412 | 363 |
413 static void | 364 static void ocsp_AddCacheItemToLinkedList(OCSPCacheData *cache, |
414 ocsp_AddCacheItemToLinkedList(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
nt) | 365 OCSPCacheItem *new_most_recent) { |
415 { | 366 PR_EnterMonitor(OCSP_Global.monitor); |
416 PR_EnterMonitor(OCSP_Global.monitor); | 367 |
417 | 368 if (!cache->LRUitem) { |
418 if (!cache->LRUitem) { | 369 cache->LRUitem = new_most_recent; |
419 cache->LRUitem = new_most_recent; | 370 } |
420 } | 371 new_most_recent->lessRecent = cache->MRUitem; |
421 new_most_recent->lessRecent = cache->MRUitem; | 372 new_most_recent->moreRecent = NULL; |
422 new_most_recent->moreRecent = NULL; | 373 |
423 | 374 if (cache->MRUitem) { |
424 if (cache->MRUitem) { | 375 cache->MRUitem->moreRecent = new_most_recent; |
425 cache->MRUitem->moreRecent = new_most_recent; | 376 } |
426 } | 377 cache->MRUitem = new_most_recent; |
427 cache->MRUitem = new_most_recent; | 378 |
428 | 379 PR_ExitMonitor(OCSP_Global.monitor); |
| 380 } |
| 381 |
| 382 static void ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, |
| 383 OCSPCacheItem *item) { |
| 384 PR_EnterMonitor(OCSP_Global.monitor); |
| 385 |
| 386 if (!item->lessRecent && !item->moreRecent) { |
| 387 /* |
| 388 * Fail gracefully on attempts to remove an item from the list, |
| 389 * which is currently not part of the list. |
| 390 * But check for the edge case it is the single entry in the list. |
| 391 */ |
| 392 if (item == cache->LRUitem && item == cache->MRUitem) { |
| 393 /* remove the single entry */ |
| 394 PORT_Assert(cache->numberOfEntries == 1); |
| 395 PORT_Assert(item->moreRecent == NULL); |
| 396 cache->MRUitem = NULL; |
| 397 cache->LRUitem = NULL; |
| 398 } |
429 PR_ExitMonitor(OCSP_Global.monitor); | 399 PR_ExitMonitor(OCSP_Global.monitor); |
430 } | 400 return; |
431 | 401 } |
432 static void | 402 |
433 ocsp_RemoveCacheItemFromLinkedList(OCSPCacheData *cache, OCSPCacheItem *item) | 403 PORT_Assert(cache->numberOfEntries > 1); |
434 { | 404 |
435 PR_EnterMonitor(OCSP_Global.monitor); | 405 if (item == cache->LRUitem) { |
436 | 406 PORT_Assert(item != cache->MRUitem); |
437 if (!item->lessRecent && !item->moreRecent) { | 407 PORT_Assert(item->lessRecent == NULL); |
438 /* | 408 PORT_Assert(item->moreRecent != NULL); |
439 * Fail gracefully on attempts to remove an item from the list, | 409 PORT_Assert(item->moreRecent->lessRecent == item); |
440 * which is currently not part of the list. | 410 cache->LRUitem = item->moreRecent; |
441 * But check for the edge case it is the single entry in the list. | 411 cache->LRUitem->lessRecent = NULL; |
442 */ | 412 } else if (item == cache->MRUitem) { |
443 if (item == cache->LRUitem && | 413 PORT_Assert(item->moreRecent == NULL); |
444 item == cache->MRUitem) { | 414 PORT_Assert(item->lessRecent != NULL); |
445 /* remove the single entry */ | 415 PORT_Assert(item->lessRecent->moreRecent == item); |
446 PORT_Assert(cache->numberOfEntries == 1); | 416 cache->MRUitem = item->lessRecent; |
447 PORT_Assert(item->moreRecent == NULL); | 417 cache->MRUitem->moreRecent = NULL; |
448 cache->MRUitem = NULL; | 418 } else { |
449 cache->LRUitem = NULL; | 419 /* remove an entry in the middle of the list */ |
450 } | 420 PORT_Assert(item->moreRecent != NULL); |
451 PR_ExitMonitor(OCSP_Global.monitor); | 421 PORT_Assert(item->lessRecent != NULL); |
452 return; | 422 PORT_Assert(item->lessRecent->moreRecent == item); |
453 } | 423 PORT_Assert(item->moreRecent->lessRecent == item); |
454 | 424 item->moreRecent->lessRecent = item->lessRecent; |
455 PORT_Assert(cache->numberOfEntries > 1); | 425 item->lessRecent->moreRecent = item->moreRecent; |
456 ·· | 426 } |
457 if (item == cache->LRUitem) { | 427 |
458 PORT_Assert(item != cache->MRUitem); | 428 item->lessRecent = NULL; |
459 PORT_Assert(item->lessRecent == NULL); | 429 item->moreRecent = NULL; |
460 PORT_Assert(item->moreRecent != NULL); | 430 |
461 PORT_Assert(item->moreRecent->lessRecent == item); | 431 PR_ExitMonitor(OCSP_Global.monitor); |
462 cache->LRUitem = item->moreRecent; | 432 } |
463 cache->LRUitem->lessRecent = NULL; | 433 |
464 } | 434 static void ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, |
465 else if (item == cache->MRUitem) { | 435 OCSPCacheItem *new_most_recent) { |
466 PORT_Assert(item->moreRecent == NULL); | 436 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n", |
467 PORT_Assert(item->lessRecent != NULL); | 437 PR_GetCurrentThread())); |
468 PORT_Assert(item->lessRecent->moreRecent == item); | 438 PR_EnterMonitor(OCSP_Global.monitor); |
469 cache->MRUitem = item->lessRecent; | 439 if (cache->MRUitem == new_most_recent) { |
470 cache->MRUitem->moreRecent = NULL; | 440 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent ALREADY MOST\n")); |
| 441 PR_ExitMonitor(OCSP_Global.monitor); |
| 442 return; |
| 443 } |
| 444 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent NEW entry\n")); |
| 445 ocsp_RemoveCacheItemFromLinkedList(cache, new_most_recent); |
| 446 ocsp_AddCacheItemToLinkedList(cache, new_most_recent); |
| 447 PR_ExitMonitor(OCSP_Global.monitor); |
| 448 } |
| 449 |
| 450 static PRBool ocsp_IsCacheDisabled(void) { |
| 451 /* |
| 452 * maxCacheEntries == 0 means unlimited cache entries |
| 453 * maxCacheEntries < 0 means cache is disabled |
| 454 */ |
| 455 PRBool retval; |
| 456 PR_EnterMonitor(OCSP_Global.monitor); |
| 457 retval = (OCSP_Global.maxCacheEntries < 0); |
| 458 PR_ExitMonitor(OCSP_Global.monitor); |
| 459 return retval; |
| 460 } |
| 461 |
| 462 static OCSPCacheItem *ocsp_FindCacheEntry(OCSPCacheData *cache, |
| 463 CERTOCSPCertID *certID) { |
| 464 OCSPCacheItem *found_ocsp_item = NULL; |
| 465 OCSP_TRACE(("OCSP ocsp_FindCacheEntry\n")); |
| 466 OCSP_TRACE_CERTID(certID); |
| 467 PR_EnterMonitor(OCSP_Global.monitor); |
| 468 if (ocsp_IsCacheDisabled()) goto loser; |
| 469 |
| 470 found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup(cache->entries, certID); |
| 471 if (!found_ocsp_item) goto loser; |
| 472 |
| 473 OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n")); |
| 474 ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item); |
| 475 |
| 476 loser: |
| 477 PR_ExitMonitor(OCSP_Global.monitor); |
| 478 return found_ocsp_item; |
| 479 } |
| 480 |
| 481 static void ocsp_FreeCacheItem(OCSPCacheItem *item) { |
| 482 OCSP_TRACE(("OCSP ocsp_FreeCacheItem\n")); |
| 483 if (item->certStatusArena) { |
| 484 PORT_FreeArena(item->certStatusArena, PR_FALSE); |
| 485 } |
| 486 if (item->certID->poolp) { |
| 487 /* freeing this poolp arena will also free item */ |
| 488 PORT_FreeArena(item->certID->poolp, PR_FALSE); |
| 489 } |
| 490 } |
| 491 |
| 492 static void ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item) { |
| 493 /* The item we're removing could be either the least recently used item, |
| 494 * or it could be an item that couldn't get updated with newer status info |
| 495 * because of an allocation failure, or it could get removed because we're |
| 496 * cleaning up. |
| 497 */ |
| 498 PRBool couldRemoveFromHashTable; |
| 499 OCSP_TRACE( |
| 500 ("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread())); |
| 501 PR_EnterMonitor(OCSP_Global.monitor); |
| 502 |
| 503 ocsp_RemoveCacheItemFromLinkedList(cache, item); |
| 504 couldRemoveFromHashTable = PL_HashTableRemove(cache->entries, item->certID); |
| 505 PORT_Assert(couldRemoveFromHashTable); |
| 506 --cache->numberOfEntries; |
| 507 ocsp_FreeCacheItem(item); |
| 508 PR_ExitMonitor(OCSP_Global.monitor); |
| 509 } |
| 510 |
| 511 static void ocsp_CheckCacheSize(OCSPCacheData *cache) { |
| 512 OCSP_TRACE(("OCSP ocsp_CheckCacheSize\n")); |
| 513 PR_EnterMonitor(OCSP_Global.monitor); |
| 514 if (OCSP_Global.maxCacheEntries > 0) { |
| 515 /* Cache is not disabled. Number of cache entries is limited. |
| 516 * The monitor ensures that maxCacheEntries remains positive. |
| 517 */ |
| 518 while (cache->numberOfEntries > (PRUint32)OCSP_Global.maxCacheEntries) { |
| 519 ocsp_RemoveCacheItem(cache, cache->LRUitem); |
| 520 } |
| 521 } |
| 522 PR_ExitMonitor(OCSP_Global.monitor); |
| 523 } |
| 524 |
| 525 SECStatus CERT_ClearOCSPCache(void) { |
| 526 OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n")); |
| 527 PR_EnterMonitor(OCSP_Global.monitor); |
| 528 while (OCSP_Global.cache.numberOfEntries > 0) { |
| 529 ocsp_RemoveCacheItem(&OCSP_Global.cache, OCSP_Global.cache.LRUitem); |
| 530 } |
| 531 PR_ExitMonitor(OCSP_Global.monitor); |
| 532 return SECSuccess; |
| 533 } |
| 534 |
| 535 static SECStatus ocsp_CreateCacheItemAndConsumeCertID( |
| 536 OCSPCacheData *cache, CERTOCSPCertID *certID, OCSPCacheItem **pCacheItem) { |
| 537 PLArenaPool *arena; |
| 538 void *mark; |
| 539 PLHashEntry *new_hash_entry; |
| 540 OCSPCacheItem *item; |
| 541 |
| 542 PORT_Assert(pCacheItem != NULL); |
| 543 *pCacheItem = NULL; |
| 544 |
| 545 PR_EnterMonitor(OCSP_Global.monitor); |
| 546 arena = certID->poolp; |
| 547 mark = PORT_ArenaMark(arena); |
| 548 |
| 549 /* ZAlloc will init all Bools to False and all Pointers to NULL |
| 550 and all error codes to zero/good. */ |
| 551 item = |
| 552 (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp, sizeof(OCSPCacheItem)); |
| 553 if (!item) { |
| 554 goto loser; |
| 555 } |
| 556 item->certID = certID; |
| 557 new_hash_entry = PL_HashTableAdd(cache->entries, item->certID, item); |
| 558 if (!new_hash_entry) { |
| 559 goto loser; |
| 560 } |
| 561 ++cache->numberOfEntries; |
| 562 PORT_ArenaUnmark(arena, mark); |
| 563 ocsp_AddCacheItemToLinkedList(cache, item); |
| 564 *pCacheItem = item; |
| 565 |
| 566 PR_ExitMonitor(OCSP_Global.monitor); |
| 567 return SECSuccess; |
| 568 |
| 569 loser: |
| 570 PORT_ArenaRelease(arena, mark); |
| 571 PR_ExitMonitor(OCSP_Global.monitor); |
| 572 return SECFailure; |
| 573 } |
| 574 |
| 575 static SECStatus ocsp_SetCacheItemResponse( |
| 576 OCSPCacheItem *item, const CERTOCSPSingleResponse *response) { |
| 577 if (item->certStatusArena) { |
| 578 PORT_FreeArena(item->certStatusArena, PR_FALSE); |
| 579 item->certStatusArena = NULL; |
| 580 } |
| 581 item->haveThisUpdate = item->haveNextUpdate = PR_FALSE; |
| 582 if (response) { |
| 583 SECStatus rv; |
| 584 item->certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 585 if (item->certStatusArena == NULL) { |
| 586 return SECFailure; |
| 587 } |
| 588 rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus, |
| 589 response->certStatus); |
| 590 if (rv != SECSuccess) { |
| 591 PORT_FreeArena(item->certStatusArena, PR_FALSE); |
| 592 item->certStatusArena = NULL; |
| 593 return rv; |
| 594 } |
| 595 item->missingResponseError = 0; |
| 596 rv = DER_GeneralizedTimeToTime(&item->thisUpdate, &response->thisUpdate); |
| 597 item->haveThisUpdate = (rv == SECSuccess); |
| 598 if (response->nextUpdate) { |
| 599 rv = DER_GeneralizedTimeToTime(&item->nextUpdate, response->nextUpdate); |
| 600 item->haveNextUpdate = (rv == SECSuccess); |
471 } else { | 601 } else { |
472 /* remove an entry in the middle of the list */ | 602 item->haveNextUpdate = PR_FALSE; |
473 PORT_Assert(item->moreRecent != NULL); | 603 } |
474 PORT_Assert(item->lessRecent != NULL); | 604 } |
475 PORT_Assert(item->lessRecent->moreRecent == item); | 605 return SECSuccess; |
476 PORT_Assert(item->moreRecent->lessRecent == item); | 606 } |
477 item->moreRecent->lessRecent = item->lessRecent; | 607 |
478 item->lessRecent->moreRecent = item->moreRecent; | 608 static void ocsp_FreshenCacheItemNextFetchAttemptTime( |
479 } | 609 OCSPCacheItem *cacheItem) { |
480 | 610 PRTime now; |
481 item->lessRecent = NULL; | 611 PRTime earliestAllowedNextFetchAttemptTime; |
482 item->moreRecent = NULL; | 612 PRTime latestTimeWhenResponseIsConsideredFresh; |
483 | 613 |
484 PR_ExitMonitor(OCSP_Global.monitor); | 614 OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n")); |
485 } | 615 |
486 | 616 PR_EnterMonitor(OCSP_Global.monitor); |
487 static void | 617 |
488 ocsp_MakeCacheEntryMostRecent(OCSPCacheData *cache, OCSPCacheItem *new_most_rece
nt) | 618 now = PR_Now(); |
489 { | 619 OCSP_TRACE_TIME("now:", now); |
490 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent THREADID %p\n",· | 620 |
491 PR_GetCurrentThread())); | 621 if (cacheItem->haveThisUpdate) { |
492 PR_EnterMonitor(OCSP_Global.monitor); | 622 OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate); |
493 if (cache->MRUitem == new_most_recent) { | 623 latestTimeWhenResponseIsConsideredFresh = |
494 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent ALREADY MOST\n")); | 624 cacheItem->thisUpdate + |
495 PR_ExitMonitor(OCSP_Global.monitor); | 625 OCSP_Global.maximumSecondsToNextFetchAttempt * MICROSECONDS_PER_SECOND; |
496 return; | 626 OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:", |
497 } | 627 latestTimeWhenResponseIsConsideredFresh); |
498 OCSP_TRACE(("OCSP ocsp_MakeCacheEntryMostRecent NEW entry\n")); | 628 } else { |
499 ocsp_RemoveCacheItemFromLinkedList(cache, new_most_recent); | 629 latestTimeWhenResponseIsConsideredFresh = |
500 ocsp_AddCacheItemToLinkedList(cache, new_most_recent); | 630 now + |
501 PR_ExitMonitor(OCSP_Global.monitor); | 631 OCSP_Global.minimumSecondsToNextFetchAttempt * MICROSECONDS_PER_SECOND; |
502 } | 632 OCSP_TRACE_TIME( |
503 | 633 "no thisUpdate, " |
504 static PRBool | 634 "latestTimeWhenResponseIsConsideredFresh:", |
505 ocsp_IsCacheDisabled(void) | |
506 { | |
507 /*· | |
508 * maxCacheEntries == 0 means unlimited cache entries | |
509 * maxCacheEntries < 0 means cache is disabled | |
510 */ | |
511 PRBool retval; | |
512 PR_EnterMonitor(OCSP_Global.monitor); | |
513 retval = (OCSP_Global.maxCacheEntries < 0); | |
514 PR_ExitMonitor(OCSP_Global.monitor); | |
515 return retval; | |
516 } | |
517 | |
518 static OCSPCacheItem * | |
519 ocsp_FindCacheEntry(OCSPCacheData *cache, CERTOCSPCertID *certID) | |
520 { | |
521 OCSPCacheItem *found_ocsp_item = NULL; | |
522 OCSP_TRACE(("OCSP ocsp_FindCacheEntry\n")); | |
523 OCSP_TRACE_CERTID(certID); | |
524 PR_EnterMonitor(OCSP_Global.monitor); | |
525 if (ocsp_IsCacheDisabled()) | |
526 goto loser; | |
527 ·· | |
528 found_ocsp_item = (OCSPCacheItem *)PL_HashTableLookup( | |
529 cache->entries, certID); | |
530 if (!found_ocsp_item) | |
531 goto loser; | |
532 ·· | |
533 OCSP_TRACE(("OCSP ocsp_FindCacheEntry FOUND!\n")); | |
534 ocsp_MakeCacheEntryMostRecent(cache, found_ocsp_item); | |
535 | |
536 loser: | |
537 PR_ExitMonitor(OCSP_Global.monitor); | |
538 return found_ocsp_item; | |
539 } | |
540 | |
541 static void | |
542 ocsp_FreeCacheItem(OCSPCacheItem *item) | |
543 { | |
544 OCSP_TRACE(("OCSP ocsp_FreeCacheItem\n")); | |
545 if (item->certStatusArena) { | |
546 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
547 } | |
548 if (item->certID->poolp) { | |
549 /* freeing this poolp arena will also free item */ | |
550 PORT_FreeArena(item->certID->poolp, PR_FALSE); | |
551 } | |
552 } | |
553 | |
554 static void | |
555 ocsp_RemoveCacheItem(OCSPCacheData *cache, OCSPCacheItem *item) | |
556 { | |
557 /* The item we're removing could be either the least recently used item, | |
558 * or it could be an item that couldn't get updated with newer status info | |
559 * because of an allocation failure, or it could get removed because we're· | |
560 * cleaning up. | |
561 */ | |
562 PRBool couldRemoveFromHashTable; | |
563 OCSP_TRACE(("OCSP ocsp_RemoveCacheItem, THREADID %p\n", PR_GetCurrentThread(
))); | |
564 PR_EnterMonitor(OCSP_Global.monitor); | |
565 | |
566 ocsp_RemoveCacheItemFromLinkedList(cache, item); | |
567 couldRemoveFromHashTable = PL_HashTableRemove(cache->entries,· | |
568 item->certID); | |
569 PORT_Assert(couldRemoveFromHashTable); | |
570 --cache->numberOfEntries; | |
571 ocsp_FreeCacheItem(item); | |
572 PR_ExitMonitor(OCSP_Global.monitor); | |
573 } | |
574 | |
575 static void | |
576 ocsp_CheckCacheSize(OCSPCacheData *cache) | |
577 { | |
578 OCSP_TRACE(("OCSP ocsp_CheckCacheSize\n")); | |
579 PR_EnterMonitor(OCSP_Global.monitor); | |
580 if (OCSP_Global.maxCacheEntries > 0) { | |
581 /* Cache is not disabled. Number of cache entries is limited. | |
582 * The monitor ensures that maxCacheEntries remains positive. | |
583 */ | |
584 while (cache->numberOfEntries >· | |
585 (PRUint32)OCSP_Global.maxCacheEntries) { | |
586 ocsp_RemoveCacheItem(cache, cache->LRUitem); | |
587 } | |
588 } | |
589 PR_ExitMonitor(OCSP_Global.monitor); | |
590 } | |
591 | |
592 SECStatus | |
593 CERT_ClearOCSPCache(void) | |
594 { | |
595 OCSP_TRACE(("OCSP CERT_ClearOCSPCache\n")); | |
596 PR_EnterMonitor(OCSP_Global.monitor); | |
597 while (OCSP_Global.cache.numberOfEntries > 0) { | |
598 ocsp_RemoveCacheItem(&OCSP_Global.cache,· | |
599 OCSP_Global.cache.LRUitem); | |
600 } | |
601 PR_ExitMonitor(OCSP_Global.monitor); | |
602 return SECSuccess; | |
603 } | |
604 | |
605 static SECStatus | |
606 ocsp_CreateCacheItemAndConsumeCertID(OCSPCacheData *cache, | |
607 CERTOCSPCertID *certID,· | |
608 OCSPCacheItem **pCacheItem) | |
609 { | |
610 PLArenaPool *arena; | |
611 void *mark; | |
612 PLHashEntry *new_hash_entry; | |
613 OCSPCacheItem *item; | |
614 ·· | |
615 PORT_Assert(pCacheItem != NULL); | |
616 *pCacheItem = NULL; | |
617 | |
618 PR_EnterMonitor(OCSP_Global.monitor); | |
619 arena = certID->poolp; | |
620 mark = PORT_ArenaMark(arena); | |
621 ·· | |
622 /* ZAlloc will init all Bools to False and all Pointers to NULL | |
623 and all error codes to zero/good. */ | |
624 item = (OCSPCacheItem *)PORT_ArenaZAlloc(certID->poolp,· | |
625 sizeof(OCSPCacheItem)); | |
626 if (!item) { | |
627 goto loser;· | |
628 } | |
629 item->certID = certID; | |
630 new_hash_entry = PL_HashTableAdd(cache->entries, item->certID,· | |
631 item); | |
632 if (!new_hash_entry) { | |
633 goto loser; | |
634 } | |
635 ++cache->numberOfEntries; | |
636 PORT_ArenaUnmark(arena, mark); | |
637 ocsp_AddCacheItemToLinkedList(cache, item); | |
638 *pCacheItem = item; | |
639 | |
640 PR_ExitMonitor(OCSP_Global.monitor); | |
641 return SECSuccess; | |
642 ·· | |
643 loser: | |
644 PORT_ArenaRelease(arena, mark); | |
645 PR_ExitMonitor(OCSP_Global.monitor); | |
646 return SECFailure; | |
647 } | |
648 | |
649 static SECStatus | |
650 ocsp_SetCacheItemResponse(OCSPCacheItem *item, | |
651 const CERTOCSPSingleResponse *response) | |
652 { | |
653 if (item->certStatusArena) { | |
654 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
655 item->certStatusArena = NULL; | |
656 } | |
657 item->haveThisUpdate = item->haveNextUpdate = PR_FALSE; | |
658 if (response) { | |
659 SECStatus rv; | |
660 item->certStatusArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
661 if (item->certStatusArena == NULL) { | |
662 return SECFailure; | |
663 } | |
664 rv = ocsp_CopyCertStatus(item->certStatusArena, &item->certStatus,· | |
665 response->certStatus); | |
666 if (rv != SECSuccess) { | |
667 PORT_FreeArena(item->certStatusArena, PR_FALSE); | |
668 item->certStatusArena = NULL; | |
669 return rv; | |
670 } | |
671 item->missingResponseError = 0; | |
672 rv = DER_GeneralizedTimeToTime(&item->thisUpdate,· | |
673 &response->thisUpdate); | |
674 item->haveThisUpdate = (rv == SECSuccess); | |
675 if (response->nextUpdate) { | |
676 rv = DER_GeneralizedTimeToTime(&item->nextUpdate,· | |
677 response->nextUpdate); | |
678 item->haveNextUpdate = (rv == SECSuccess); | |
679 } else { | |
680 item->haveNextUpdate = PR_FALSE; | |
681 } | |
682 } | |
683 return SECSuccess; | |
684 } | |
685 | |
686 static void | |
687 ocsp_FreshenCacheItemNextFetchAttemptTime(OCSPCacheItem *cacheItem) | |
688 { | |
689 PRTime now; | |
690 PRTime earliestAllowedNextFetchAttemptTime; | |
691 PRTime latestTimeWhenResponseIsConsideredFresh; | |
692 ·· | |
693 OCSP_TRACE(("OCSP ocsp_FreshenCacheItemNextFetchAttemptTime\n")); | |
694 | |
695 PR_EnterMonitor(OCSP_Global.monitor); | |
696 ·· | |
697 now = PR_Now(); | |
698 OCSP_TRACE_TIME("now:", now); | |
699 ·· | |
700 if (cacheItem->haveThisUpdate) { | |
701 OCSP_TRACE_TIME("thisUpdate:", cacheItem->thisUpdate); | |
702 latestTimeWhenResponseIsConsideredFresh = cacheItem->thisUpdate + | |
703 OCSP_Global.maximumSecondsToNextFetchAttempt *· | |
704 MICROSECONDS_PER_SECOND; | |
705 OCSP_TRACE_TIME("latestTimeWhenResponseIsConsideredFresh:",· | |
706 latestTimeWhenResponseIsConsideredFresh); | |
707 } else { | |
708 latestTimeWhenResponseIsConsideredFresh = now + | |
709 OCSP_Global.minimumSecondsToNextFetchAttempt * | |
710 MICROSECONDS_PER_SECOND; | |
711 OCSP_TRACE_TIME("no thisUpdate, " | |
712 "latestTimeWhenResponseIsConsideredFresh:",· | |
713 latestTimeWhenResponseIsConsideredFresh); | |
714 } | |
715 ·· | |
716 if (cacheItem->haveNextUpdate) { | |
717 OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate); | |
718 } | |
719 ·· | |
720 if (cacheItem->haveNextUpdate && | |
721 cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) { | |
722 latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate; | |
723 OCSP_TRACE_TIME("nextUpdate is smaller than latestFresh, setting " | |
724 "latestTimeWhenResponseIsConsideredFresh:",· | |
725 latestTimeWhenResponseIsConsideredFresh); | |
726 } | |
727 ·· | |
728 earliestAllowedNextFetchAttemptTime = now + | |
729 OCSP_Global.minimumSecondsToNextFetchAttempt *· | |
730 MICROSECONDS_PER_SECOND; | |
731 OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:",· | |
732 earliestAllowedNextFetchAttemptTime); | |
733 ·· | |
734 if (latestTimeWhenResponseIsConsideredFresh <· | |
735 earliestAllowedNextFetchAttemptTime) { | |
736 latestTimeWhenResponseIsConsideredFresh =· | |
737 earliestAllowedNextFetchAttemptTime; | |
738 OCSP_TRACE_TIME("latest < earliest, setting latest to:",· | |
739 latestTimeWhenResponseIsConsideredFresh); | |
740 } | |
741 ·· | |
742 cacheItem->nextFetchAttemptTime =· | |
743 latestTimeWhenResponseIsConsideredFresh; | |
744 OCSP_TRACE_TIME("nextFetchAttemptTime",· | |
745 latestTimeWhenResponseIsConsideredFresh); | 635 latestTimeWhenResponseIsConsideredFresh); |
746 | 636 } |
747 PR_ExitMonitor(OCSP_Global.monitor); | 637 |
748 } | 638 if (cacheItem->haveNextUpdate) { |
749 | 639 OCSP_TRACE_TIME("have nextUpdate:", cacheItem->nextUpdate); |
750 static PRBool | 640 } |
751 ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem) | 641 |
752 { | 642 if (cacheItem->haveNextUpdate && |
753 PRTime now; | 643 cacheItem->nextUpdate < latestTimeWhenResponseIsConsideredFresh) { |
754 PRBool fresh; | 644 latestTimeWhenResponseIsConsideredFresh = cacheItem->nextUpdate; |
755 | 645 OCSP_TRACE_TIME( |
756 now = PR_Now(); | 646 "nextUpdate is smaller than latestFresh, setting " |
757 | 647 "latestTimeWhenResponseIsConsideredFresh:", |
758 fresh = cacheItem->nextFetchAttemptTime > now; | 648 latestTimeWhenResponseIsConsideredFresh); |
759 | 649 } |
760 /* Work around broken OCSP responders that return unknown responses for | 650 |
761 * certificates, especially certificates that were just recently issued. | 651 earliestAllowedNextFetchAttemptTime = |
762 */ | 652 now + |
763 if (fresh && cacheItem->certStatusArena && | 653 OCSP_Global.minimumSecondsToNextFetchAttempt * MICROSECONDS_PER_SECOND; |
764 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) { | 654 OCSP_TRACE_TIME("earliestAllowedNextFetchAttemptTime:", |
765 fresh = PR_FALSE; | 655 earliestAllowedNextFetchAttemptTime); |
766 } | 656 |
767 | 657 if (latestTimeWhenResponseIsConsideredFresh < |
768 OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh)); | 658 earliestAllowedNextFetchAttemptTime) { |
769 | 659 latestTimeWhenResponseIsConsideredFresh = |
770 return fresh; | 660 earliestAllowedNextFetchAttemptTime; |
| 661 OCSP_TRACE_TIME("latest < earliest, setting latest to:", |
| 662 latestTimeWhenResponseIsConsideredFresh); |
| 663 } |
| 664 |
| 665 cacheItem->nextFetchAttemptTime = latestTimeWhenResponseIsConsideredFresh; |
| 666 OCSP_TRACE_TIME("nextFetchAttemptTime", |
| 667 latestTimeWhenResponseIsConsideredFresh); |
| 668 |
| 669 PR_ExitMonitor(OCSP_Global.monitor); |
| 670 } |
| 671 |
| 672 static PRBool ocsp_IsCacheItemFresh(OCSPCacheItem *cacheItem) { |
| 673 PRTime now; |
| 674 PRBool fresh; |
| 675 |
| 676 now = PR_Now(); |
| 677 |
| 678 fresh = cacheItem->nextFetchAttemptTime > now; |
| 679 |
| 680 /* Work around broken OCSP responders that return unknown responses for |
| 681 * certificates, especially certificates that were just recently issued. |
| 682 */ |
| 683 if (fresh && cacheItem->certStatusArena && |
| 684 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown) { |
| 685 fresh = PR_FALSE; |
| 686 } |
| 687 |
| 688 OCSP_TRACE(("OCSP ocsp_IsCacheItemFresh: %d\n", fresh)); |
| 689 |
| 690 return fresh; |
771 } | 691 } |
772 | 692 |
773 /* | 693 /* |
774 * Status in *certIDWasConsumed will always be correct, regardless of | 694 * Status in *certIDWasConsumed will always be correct, regardless of |
775 * return value. | 695 * return value. |
776 * If the caller is unable to transfer ownership of certID, | 696 * If the caller is unable to transfer ownership of certID, |
777 * then the caller must set certIDWasConsumed to NULL, | 697 * then the caller must set certIDWasConsumed to NULL, |
778 * and this function will potentially duplicate the certID object. | 698 * and this function will potentially duplicate the certID object. |
779 */ | 699 */ |
780 static SECStatus | 700 static SECStatus ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache, |
781 ocsp_CreateOrUpdateCacheEntry(OCSPCacheData *cache,· | 701 CERTOCSPCertID *certID, |
782 CERTOCSPCertID *certID, | 702 CERTOCSPSingleResponse *single, |
783 CERTOCSPSingleResponse *single, | 703 PRBool *certIDWasConsumed) { |
784 PRBool *certIDWasConsumed) | 704 SECStatus rv; |
785 { | 705 OCSPCacheItem *cacheItem; |
786 SECStatus rv; | 706 OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n")); |
787 OCSPCacheItem *cacheItem; | 707 |
788 OCSP_TRACE(("OCSP ocsp_CreateOrUpdateCacheEntry\n")); | 708 if (certIDWasConsumed) *certIDWasConsumed = PR_FALSE; |
789 ·· | 709 |
790 if (certIDWasConsumed) | 710 PR_EnterMonitor(OCSP_Global.monitor); |
791 *certIDWasConsumed = PR_FALSE; | 711 PORT_Assert(OCSP_Global.maxCacheEntries >= 0); |
792 ·· | 712 |
793 PR_EnterMonitor(OCSP_Global.monitor); | 713 cacheItem = ocsp_FindCacheEntry(cache, certID); |
794 PORT_Assert(OCSP_Global.maxCacheEntries >= 0); | 714 |
795 ·· | 715 /* Don't replace an unknown or revoked entry with an error entry, even if |
796 cacheItem = ocsp_FindCacheEntry(cache, certID); | 716 * the existing entry is expired. Instead, we'll continue to use the |
797 | 717 * existing (possibly expired) cache entry until we receive a valid signed |
798 /* Don't replace an unknown or revoked entry with an error entry, even if | 718 * response to replace it. |
799 * the existing entry is expired. Instead, we'll continue to use the | 719 */ |
800 * existing (possibly expired) cache entry until we receive a valid signed | 720 if (!single && cacheItem && cacheItem->certStatusArena && |
801 * response to replace it. | 721 (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked || |
802 */ | 722 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) { |
803 if (!single && cacheItem && cacheItem->certStatusArena && | |
804 (cacheItem->certStatus.certStatusType == ocspCertStatus_revoked || | |
805 cacheItem->certStatus.certStatusType == ocspCertStatus_unknown)) { | |
806 PR_ExitMonitor(OCSP_Global.monitor); | |
807 return SECSuccess; | |
808 } | |
809 | |
810 if (!cacheItem) { | |
811 CERTOCSPCertID *myCertID; | |
812 if (certIDWasConsumed) { | |
813 myCertID = certID; | |
814 *certIDWasConsumed = PR_TRUE; | |
815 } else { | |
816 myCertID = cert_DupOCSPCertID(certID); | |
817 if (!myCertID) { | |
818 PR_ExitMonitor(OCSP_Global.monitor); | |
819 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); | |
820 return SECFailure; | |
821 } | |
822 } | |
823 | |
824 rv = ocsp_CreateCacheItemAndConsumeCertID(cache, myCertID, | |
825 &cacheItem); | |
826 if (rv != SECSuccess) { | |
827 PR_ExitMonitor(OCSP_Global.monitor); | |
828 return rv; | |
829 } | |
830 } | |
831 if (single) { | |
832 PRTime thisUpdate; | |
833 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); | |
834 | |
835 if (!cacheItem->haveThisUpdate || | |
836 (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) { | |
837 rv = ocsp_SetCacheItemResponse(cacheItem, single); | |
838 if (rv != SECSuccess) { | |
839 ocsp_RemoveCacheItem(cache, cacheItem); | |
840 PR_ExitMonitor(OCSP_Global.monitor); | |
841 return rv; | |
842 } | |
843 } else { | |
844 OCSP_TRACE(("Not caching response because the response is not " | |
845 "newer than the cache")); | |
846 } | |
847 } else { | |
848 cacheItem->missingResponseError = PORT_GetError(); | |
849 if (cacheItem->certStatusArena) { | |
850 PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE); | |
851 cacheItem->certStatusArena = NULL; | |
852 } | |
853 } | |
854 ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem); | |
855 ocsp_CheckCacheSize(cache); | |
856 | |
857 PR_ExitMonitor(OCSP_Global.monitor); | 723 PR_ExitMonitor(OCSP_Global.monitor); |
858 return SECSuccess; | 724 return SECSuccess; |
859 } | 725 } |
860 | 726 |
861 extern SECStatus | 727 if (!cacheItem) { |
862 CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode) | 728 CERTOCSPCertID *myCertID; |
863 { | 729 if (certIDWasConsumed) { |
864 switch (ocspFailureMode) { | 730 myCertID = certID; |
| 731 *certIDWasConsumed = PR_TRUE; |
| 732 } else { |
| 733 myCertID = cert_DupOCSPCertID(certID); |
| 734 if (!myCertID) { |
| 735 PR_ExitMonitor(OCSP_Global.monitor); |
| 736 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); |
| 737 return SECFailure; |
| 738 } |
| 739 } |
| 740 |
| 741 rv = ocsp_CreateCacheItemAndConsumeCertID(cache, myCertID, &cacheItem); |
| 742 if (rv != SECSuccess) { |
| 743 PR_ExitMonitor(OCSP_Global.monitor); |
| 744 return rv; |
| 745 } |
| 746 } |
| 747 if (single) { |
| 748 PRTime thisUpdate; |
| 749 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); |
| 750 |
| 751 if (!cacheItem->haveThisUpdate || |
| 752 (rv == SECSuccess && cacheItem->thisUpdate < thisUpdate)) { |
| 753 rv = ocsp_SetCacheItemResponse(cacheItem, single); |
| 754 if (rv != SECSuccess) { |
| 755 ocsp_RemoveCacheItem(cache, cacheItem); |
| 756 PR_ExitMonitor(OCSP_Global.monitor); |
| 757 return rv; |
| 758 } |
| 759 } else { |
| 760 OCSP_TRACE( |
| 761 ("Not caching response because the response is not " |
| 762 "newer than the cache")); |
| 763 } |
| 764 } else { |
| 765 cacheItem->missingResponseError = PORT_GetError(); |
| 766 if (cacheItem->certStatusArena) { |
| 767 PORT_FreeArena(cacheItem->certStatusArena, PR_FALSE); |
| 768 cacheItem->certStatusArena = NULL; |
| 769 } |
| 770 } |
| 771 ocsp_FreshenCacheItemNextFetchAttemptTime(cacheItem); |
| 772 ocsp_CheckCacheSize(cache); |
| 773 |
| 774 PR_ExitMonitor(OCSP_Global.monitor); |
| 775 return SECSuccess; |
| 776 } |
| 777 |
| 778 extern SECStatus CERT_SetOCSPFailureMode(SEC_OcspFailureMode ocspFailureMode) { |
| 779 switch (ocspFailureMode) { |
865 case ocspMode_FailureIsVerificationFailure: | 780 case ocspMode_FailureIsVerificationFailure: |
866 case ocspMode_FailureIsNotAVerificationFailure: | 781 case ocspMode_FailureIsNotAVerificationFailure: |
867 break; | 782 break; |
868 default: | 783 default: |
869 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 784 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
870 return SECFailure; | 785 return SECFailure; |
871 } | 786 } |
872 | 787 |
873 PR_EnterMonitor(OCSP_Global.monitor); | 788 PR_EnterMonitor(OCSP_Global.monitor); |
874 OCSP_Global.ocspFailureMode = ocspFailureMode; | 789 OCSP_Global.ocspFailureMode = ocspFailureMode; |
875 PR_ExitMonitor(OCSP_Global.monitor); | 790 PR_ExitMonitor(OCSP_Global.monitor); |
876 return SECSuccess; | 791 return SECSuccess; |
877 } | 792 } |
878 | 793 |
879 SECStatus | 794 SECStatus CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, |
880 CERT_OCSPCacheSettings(PRInt32 maxCacheEntries, | 795 PRUint32 minimumSecondsToNextFetchAttempt, |
881 PRUint32 minimumSecondsToNextFetchAttempt, | 796 PRUint32 maximumSecondsToNextFetchAttempt) { |
882 PRUint32 maximumSecondsToNextFetchAttempt) | 797 if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt || |
883 { | 798 maxCacheEntries < -1) { |
884 if (minimumSecondsToNextFetchAttempt > maximumSecondsToNextFetchAttempt | 799 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
885 || maxCacheEntries < -1) { | 800 return SECFailure; |
886 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 801 } |
887 return SECFailure; | 802 |
888 } | 803 PR_EnterMonitor(OCSP_Global.monitor); |
889 ·· | 804 |
890 PR_EnterMonitor(OCSP_Global.monitor); | 805 if (maxCacheEntries < 0) { |
891 ·· | 806 OCSP_Global.maxCacheEntries = -1; /* disable cache */ |
892 if (maxCacheEntries < 0) { | 807 } else if (maxCacheEntries == 0) { |
893 OCSP_Global.maxCacheEntries = -1; /* disable cache */ | 808 OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */ |
894 } else if (maxCacheEntries == 0) { | 809 } else { |
895 OCSP_Global.maxCacheEntries = 0; /* unlimited cache entries */ | 810 OCSP_Global.maxCacheEntries = maxCacheEntries; |
896 } else { | 811 } |
897 OCSP_Global.maxCacheEntries = maxCacheEntries; | 812 |
898 } | 813 if (minimumSecondsToNextFetchAttempt < |
899 ·· | 814 OCSP_Global.minimumSecondsToNextFetchAttempt || |
900 if (minimumSecondsToNextFetchAttempt <· | 815 maximumSecondsToNextFetchAttempt < |
901 OCSP_Global.minimumSecondsToNextFetchAttempt | 816 OCSP_Global.maximumSecondsToNextFetchAttempt) { |
902 || maximumSecondsToNextFetchAttempt <· | 817 /* |
903 OCSP_Global.maximumSecondsToNextFetchAttempt) { | 818 * Ensure our existing cache entries are not used longer than the |
904 /* | 819 * new settings allow, we're lazy and just clear the cache |
905 * Ensure our existing cache entries are not used longer than the· | 820 */ |
906 * new settings allow, we're lazy and just clear the cache | 821 CERT_ClearOCSPCache(); |
907 */ | 822 } |
908 CERT_ClearOCSPCache(); | 823 |
909 } | 824 OCSP_Global.minimumSecondsToNextFetchAttempt = |
910 ·· | 825 minimumSecondsToNextFetchAttempt; |
911 OCSP_Global.minimumSecondsToNextFetchAttempt =· | 826 OCSP_Global.maximumSecondsToNextFetchAttempt = |
912 minimumSecondsToNextFetchAttempt; | 827 maximumSecondsToNextFetchAttempt; |
913 OCSP_Global.maximumSecondsToNextFetchAttempt =· | 828 ocsp_CheckCacheSize(&OCSP_Global.cache); |
914 maximumSecondsToNextFetchAttempt; | 829 |
915 ocsp_CheckCacheSize(&OCSP_Global.cache); | 830 PR_ExitMonitor(OCSP_Global.monitor); |
916 ·· | 831 return SECSuccess; |
917 PR_ExitMonitor(OCSP_Global.monitor); | 832 } |
918 return SECSuccess; | 833 |
919 } | 834 SECStatus CERT_SetOCSPTimeout(PRUint32 seconds) { |
920 | 835 /* no locking, see bug 406120 */ |
921 SECStatus | 836 OCSP_Global.timeoutSeconds = seconds; |
922 CERT_SetOCSPTimeout(PRUint32 seconds) | 837 return SECSuccess; |
923 { | |
924 /* no locking, see bug 406120 */ | |
925 OCSP_Global.timeoutSeconds = seconds; | |
926 return SECSuccess; | |
927 } | 838 } |
928 | 839 |
929 /* this function is called at NSS initialization time */ | 840 /* this function is called at NSS initialization time */ |
930 SECStatus OCSP_InitGlobal(void) | 841 SECStatus OCSP_InitGlobal(void) { |
931 { | 842 SECStatus rv = SECFailure; |
932 SECStatus rv = SECFailure; | 843 |
933 | 844 if (OCSP_Global.monitor == NULL) { |
934 if (OCSP_Global.monitor == NULL) { | 845 OCSP_Global.monitor = PR_NewMonitor(); |
935 OCSP_Global.monitor = PR_NewMonitor(); | 846 } |
936 } | 847 if (!OCSP_Global.monitor) return SECFailure; |
937 if (!OCSP_Global.monitor) | 848 |
938 return SECFailure; | 849 PR_EnterMonitor(OCSP_Global.monitor); |
939 | 850 if (!OCSP_Global.cache.entries) { |
940 PR_EnterMonitor(OCSP_Global.monitor); | 851 OCSP_Global.cache.entries = PL_NewHashTable(0, ocsp_CacheKeyHashFunction, |
941 if (!OCSP_Global.cache.entries) { | 852 ocsp_CacheKeyCompareFunction, |
942 OCSP_Global.cache.entries =· | 853 PL_CompareValues, NULL, NULL); |
943 PL_NewHashTable(0,· | 854 OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure; |
944 ocsp_CacheKeyHashFunction,· | 855 OCSP_Global.cache.numberOfEntries = 0; |
945 ocsp_CacheKeyCompareFunction,· | |
946 PL_CompareValues,· | |
947 NULL,· | |
948 NULL); | |
949 OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure; | |
950 OCSP_Global.cache.numberOfEntries = 0; | |
951 OCSP_Global.cache.MRUitem = NULL; | |
952 OCSP_Global.cache.LRUitem = NULL; | |
953 } else { | |
954 /* | |
955 * NSS might call this function twice while attempting to init. | |
956 * But it's not allowed to call this again after any activity. | |
957 */ | |
958 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); | |
959 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
960 } | |
961 if (OCSP_Global.cache.entries) | |
962 rv = SECSuccess; | |
963 PR_ExitMonitor(OCSP_Global.monitor); | |
964 return rv; | |
965 } | |
966 | |
967 SECStatus OCSP_ShutdownGlobal(void) | |
968 { | |
969 if (!OCSP_Global.monitor) | |
970 return SECSuccess; | |
971 | |
972 PR_EnterMonitor(OCSP_Global.monitor); | |
973 if (OCSP_Global.cache.entries) { | |
974 CERT_ClearOCSPCache(); | |
975 PL_HashTableDestroy(OCSP_Global.cache.entries); | |
976 OCSP_Global.cache.entries = NULL; | |
977 } | |
978 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); | |
979 OCSP_Global.cache.MRUitem = NULL; | 856 OCSP_Global.cache.MRUitem = NULL; |
980 OCSP_Global.cache.LRUitem = NULL; | 857 OCSP_Global.cache.LRUitem = NULL; |
981 | 858 } else { |
982 OCSP_Global.defaultHttpClientFcn = NULL; | 859 /* |
983 OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE; | 860 * NSS might call this function twice while attempting to init. |
984 OCSP_Global.minimumSecondsToNextFetchAttempt =· | 861 * But it's not allowed to call this again after any activity. |
| 862 */ |
| 863 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); |
| 864 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 865 } |
| 866 if (OCSP_Global.cache.entries) rv = SECSuccess; |
| 867 PR_ExitMonitor(OCSP_Global.monitor); |
| 868 return rv; |
| 869 } |
| 870 |
| 871 SECStatus OCSP_ShutdownGlobal(void) { |
| 872 if (!OCSP_Global.monitor) return SECSuccess; |
| 873 |
| 874 PR_EnterMonitor(OCSP_Global.monitor); |
| 875 if (OCSP_Global.cache.entries) { |
| 876 CERT_ClearOCSPCache(); |
| 877 PL_HashTableDestroy(OCSP_Global.cache.entries); |
| 878 OCSP_Global.cache.entries = NULL; |
| 879 } |
| 880 PORT_Assert(OCSP_Global.cache.numberOfEntries == 0); |
| 881 OCSP_Global.cache.MRUitem = NULL; |
| 882 OCSP_Global.cache.LRUitem = NULL; |
| 883 |
| 884 OCSP_Global.defaultHttpClientFcn = NULL; |
| 885 OCSP_Global.maxCacheEntries = DEFAULT_OCSP_CACHE_SIZE; |
| 886 OCSP_Global.minimumSecondsToNextFetchAttempt = |
985 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; | 887 DEFAULT_MINIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; |
986 OCSP_Global.maximumSecondsToNextFetchAttempt = | 888 OCSP_Global.maximumSecondsToNextFetchAttempt = |
987 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; | 889 DEFAULT_MAXIMUM_SECONDS_TO_NEXT_OCSP_FETCH_ATTEMPT; |
988 OCSP_Global.ocspFailureMode = | 890 OCSP_Global.ocspFailureMode = ocspMode_FailureIsVerificationFailure; |
989 ocspMode_FailureIsVerificationFailure; | 891 PR_ExitMonitor(OCSP_Global.monitor); |
990 PR_ExitMonitor(OCSP_Global.monitor); | 892 |
991 | 893 PR_DestroyMonitor(OCSP_Global.monitor); |
992 PR_DestroyMonitor(OCSP_Global.monitor); | 894 OCSP_Global.monitor = NULL; |
993 OCSP_Global.monitor = NULL; | 895 return SECSuccess; |
994 return SECSuccess; | |
995 } | 896 } |
996 | 897 |
997 /* | 898 /* |
998 * A return value of NULL means: | 899 * A return value of NULL means: |
999 * The application did not register it's own HTTP client. | 900 * The application did not register it's own HTTP client. |
1000 */ | 901 */ |
1001 const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient(void) | 902 const SEC_HttpClientFcn *SEC_GetRegisteredHttpClient(void) { |
1002 { | 903 const SEC_HttpClientFcn *retval; |
1003 const SEC_HttpClientFcn *retval; | 904 |
1004 | 905 if (!OCSP_Global.monitor) { |
1005 if (!OCSP_Global.monitor) { | 906 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
1006 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 907 return NULL; |
1007 return NULL; | 908 } |
1008 } | 909 |
1009 | 910 PR_EnterMonitor(OCSP_Global.monitor); |
1010 PR_EnterMonitor(OCSP_Global.monitor); | 911 retval = OCSP_Global.defaultHttpClientFcn; |
1011 retval = OCSP_Global.defaultHttpClientFcn; | 912 PR_ExitMonitor(OCSP_Global.monitor); |
1012 PR_ExitMonitor(OCSP_Global.monitor); | 913 |
1013 | 914 return retval; |
1014 return retval; | |
1015 } | 915 } |
1016 | 916 |
1017 /* | 917 /* |
1018 * The following structure is only used internally. It is allocated when | 918 * The following structure is only used internally. It is allocated when |
1019 * someone turns on OCSP checking, and hangs off of the status-configuration | 919 * someone turns on OCSP checking, and hangs off of the status-configuration |
1020 * structure in the certdb structure. We use it to keep configuration | 920 * structure in the certdb structure. We use it to keep configuration |
1021 * information specific to OCSP checking. | 921 * information specific to OCSP checking. |
1022 */ | 922 */ |
1023 typedef struct ocspCheckingContextStr { | 923 typedef struct ocspCheckingContextStr { |
1024 PRBool useDefaultResponder; | 924 PRBool useDefaultResponder; |
1025 char *defaultResponderURI; | 925 char *defaultResponderURI; |
1026 char *defaultResponderNickname; | 926 char *defaultResponderNickname; |
1027 CERTCertificate *defaultResponderCert; | 927 CERTCertificate *defaultResponderCert; |
1028 } ocspCheckingContext; | 928 } ocspCheckingContext; |
1029 | 929 |
1030 SEC_ASN1_MKSUB(SEC_AnyTemplate) | 930 SEC_ASN1_MKSUB(SEC_AnyTemplate) |
1031 SEC_ASN1_MKSUB(SEC_IntegerTemplate) | 931 SEC_ASN1_MKSUB(SEC_IntegerTemplate) |
1032 SEC_ASN1_MKSUB(SEC_NullTemplate) | 932 SEC_ASN1_MKSUB(SEC_NullTemplate) |
1033 SEC_ASN1_MKSUB(SEC_OctetStringTemplate) | 933 SEC_ASN1_MKSUB(SEC_OctetStringTemplate) |
1034 SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate) | 934 SEC_ASN1_MKSUB(SEC_PointerToAnyTemplate) |
1035 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) | 935 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) |
1036 SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate) | 936 SEC_ASN1_MKSUB(SEC_SequenceOfAnyTemplate) |
1037 SEC_ASN1_MKSUB(SEC_PointerToGeneralizedTimeTemplate) | 937 SEC_ASN1_MKSUB(SEC_PointerToGeneralizedTimeTemplate) |
1038 SEC_ASN1_MKSUB(SEC_PointerToEnumeratedTemplate) | 938 SEC_ASN1_MKSUB(SEC_PointerToEnumeratedTemplate) |
1039 | 939 |
1040 /* | 940 /* |
1041 * Forward declarations of sub-types, so I can lay out the types in the | 941 * Forward declarations of sub-types, so I can lay out the types in the |
1042 * same order as the ASN.1 is laid out in the OCSP spec itself. | 942 * same order as the ASN.1 is laid out in the OCSP spec itself. |
1043 * | 943 * |
1044 * These are in alphabetical order (case-insensitive); please keep it that way! | 944 * These are in alphabetical order (case-insensitive); please keep it that way! |
1045 */ | 945 */ |
1046 extern const SEC_ASN1Template ocsp_CertIDTemplate[]; | 946 extern const SEC_ASN1Template ocsp_CertIDTemplate[]; |
1047 extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[]; | 947 extern const SEC_ASN1Template ocsp_PointerToSignatureTemplate[]; |
1048 extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[]; | 948 extern const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[]; |
1049 extern const SEC_ASN1Template ocsp_ResponseDataTemplate[]; | 949 extern const SEC_ASN1Template ocsp_ResponseDataTemplate[]; |
1050 extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[]; | 950 extern const SEC_ASN1Template ocsp_RevokedInfoTemplate[]; |
1051 extern const SEC_ASN1Template ocsp_SingleRequestTemplate[]; | 951 extern const SEC_ASN1Template ocsp_SingleRequestTemplate[]; |
1052 extern const SEC_ASN1Template ocsp_SingleResponseTemplate[]; | 952 extern const SEC_ASN1Template ocsp_SingleResponseTemplate[]; |
1053 extern const SEC_ASN1Template ocsp_TBSRequestTemplate[]; | 953 extern const SEC_ASN1Template ocsp_TBSRequestTemplate[]; |
1054 | 954 |
1055 | |
1056 /* | 955 /* |
1057 * Request-related templates... | 956 * Request-related templates... |
1058 */ | 957 */ |
1059 | 958 |
1060 /* | 959 /* |
1061 * OCSPRequest ::= SEQUENCE { | 960 * OCSPRequest ::= SEQUENCE { |
1062 * tbsRequest TBSRequest, | 961 * tbsRequest TBSRequest, |
1063 * optionalSignature [0] EXPLICIT Signature OPTIONAL } | 962 * optionalSignature [0] EXPLICIT Signature OPTIONAL } |
1064 */ | 963 */ |
1065 static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = { | 964 static const SEC_ASN1Template ocsp_OCSPRequestTemplate[] = { |
1066 { SEC_ASN1_SEQUENCE, | 965 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTOCSPRequest)}, |
1067 » 0, NULL, sizeof(CERTOCSPRequest) }, | 966 {SEC_ASN1_POINTER, offsetof(CERTOCSPRequest, tbsRequest), |
1068 { SEC_ASN1_POINTER, | 967 ocsp_TBSRequestTemplate}, |
1069 » offsetof(CERTOCSPRequest, tbsRequest), | 968 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1070 » ocsp_TBSRequestTemplate }, | 969 SEC_ASN1_CONTEXT_SPECIFIC | 0, |
1071 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 970 offsetof(CERTOCSPRequest, optionalSignature), |
1072 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | 971 ocsp_PointerToSignatureTemplate}, |
1073 » offsetof(CERTOCSPRequest, optionalSignature), | 972 {0}}; |
1074 » ocsp_PointerToSignatureTemplate }, | |
1075 { 0 } | |
1076 }; | |
1077 | 973 |
1078 /* | 974 /* |
1079 * TBSRequest ::= SEQUENCE { | 975 * TBSRequest ::= SEQUENCE { |
1080 * version [0] EXPLICIT Version DEFAULT v1, | 976 * version [0] EXPLICIT Version DEFAULT v1, |
1081 * requestorName [1] EXPLICIT GeneralName OPTIONAL, | 977 * requestorName [1] EXPLICIT GeneralName OPTIONAL, |
1082 * requestList SEQUENCE OF Request, | 978 * requestList SEQUENCE OF Request, |
1083 * requestExtensions [2] EXPLICIT Extensions OPTIONAL } | 979 * requestExtensions [2] EXPLICIT Extensions OPTIONAL } |
1084 * | 980 * |
1085 * Version ::= INTEGER { v1(0) } | 981 * Version ::= INTEGER { v1(0) } |
1086 * | 982 * |
1087 * Note: this should be static but the AIX compiler doesn't like it (because it | 983 * Note: this should be static but the AIX compiler doesn't like it (because it |
1088 * was forward-declared above); it is not meant to be exported, but this | 984 * was forward-declared above); it is not meant to be exported, but this |
1089 * is the only way it will compile. | 985 * is the only way it will compile. |
1090 */ | 986 */ |
1091 const SEC_ASN1Template ocsp_TBSRequestTemplate[] = { | 987 const SEC_ASN1Template ocsp_TBSRequestTemplate[] = { |
1092 { SEC_ASN1_SEQUENCE, | 988 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspTBSRequest)}, |
1093 » 0, NULL, sizeof(ocspTBSRequest) }, | 989 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ |
1094 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |» » /* XXX DER_DEFAULT */ | 990 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1095 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 991 offsetof(ocspTBSRequest, version), SEC_ASN1_SUB(SEC_IntegerTemplate)}, |
1096 » offsetof(ocspTBSRequest, version), | 992 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1097 » SEC_ASN1_SUB(SEC_IntegerTemplate) }, | 993 SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, |
1098 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 994 offsetof(ocspTBSRequest, derRequestorName), |
1099 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, | 995 SEC_ASN1_SUB(SEC_PointerToAnyTemplate)}, |
1100 » offsetof(ocspTBSRequest, derRequestorName), | 996 {SEC_ASN1_SEQUENCE_OF, offsetof(ocspTBSRequest, requestList), |
1101 » SEC_ASN1_SUB(SEC_PointerToAnyTemplate) }, | 997 ocsp_SingleRequestTemplate}, |
1102 { SEC_ASN1_SEQUENCE_OF, | 998 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1103 » offsetof(ocspTBSRequest, requestList), | 999 SEC_ASN1_CONTEXT_SPECIFIC | 2, |
1104 » ocsp_SingleRequestTemplate }, | 1000 offsetof(ocspTBSRequest, requestExtensions), |
1105 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1001 CERT_SequenceOfCertExtensionTemplate}, |
1106 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, | 1002 {0}}; |
1107 » offsetof(ocspTBSRequest, requestExtensions), | |
1108 » CERT_SequenceOfCertExtensionTemplate }, | |
1109 { 0 } | |
1110 }; | |
1111 | 1003 |
1112 /* | 1004 /* |
1113 * Signature ::= SEQUENCE { | 1005 * Signature ::= SEQUENCE { |
1114 * signatureAlgorithm AlgorithmIdentifier, | 1006 * signatureAlgorithm AlgorithmIdentifier, |
1115 * signature BIT STRING, | 1007 * signature BIT STRING, |
1116 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | 1008 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } |
1117 */ | 1009 */ |
1118 static const SEC_ASN1Template ocsp_SignatureTemplate[] = { | 1010 static const SEC_ASN1Template ocsp_SignatureTemplate[] = { |
1119 { SEC_ASN1_SEQUENCE, | 1011 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspSignature)}, |
1120 » 0, NULL, sizeof(ocspSignature) }, | 1012 {SEC_ASN1_INLINE | SEC_ASN1_XTRN, |
1121 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | 1013 offsetof(ocspSignature, signatureAlgorithm), |
1122 » offsetof(ocspSignature, signatureAlgorithm), | 1014 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate)}, |
1123 » SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | 1015 {SEC_ASN1_BIT_STRING, offsetof(ocspSignature, signature)}, |
1124 { SEC_ASN1_BIT_STRING, | 1016 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1125 » offsetof(ocspSignature, signature) }, | 1017 SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1126 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1018 offsetof(ocspSignature, derCerts), |
1127 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 1019 SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate)}, |
1128 » offsetof(ocspSignature, derCerts),· | 1020 {0}}; |
1129 » SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, | |
1130 { 0 } | |
1131 }; | |
1132 | 1021 |
1133 /* | 1022 /* |
1134 * This template is just an extra level to use in an explicitly-tagged | 1023 * This template is just an extra level to use in an explicitly-tagged |
1135 * reference to a Signature. | 1024 * reference to a Signature. |
1136 * | 1025 * |
1137 * Note: this should be static but the AIX compiler doesn't like it (because it | 1026 * Note: this should be static but the AIX compiler doesn't like it (because it |
1138 * was forward-declared above); it is not meant to be exported, but this | 1027 * was forward-declared above); it is not meant to be exported, but this |
1139 * is the only way it will compile. | 1028 * is the only way it will compile. |
1140 */ | 1029 */ |
1141 const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = { | 1030 const SEC_ASN1Template ocsp_PointerToSignatureTemplate[] = { |
1142 { SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate } | 1031 {SEC_ASN1_POINTER, 0, ocsp_SignatureTemplate}}; |
1143 }; | |
1144 | 1032 |
1145 /* | 1033 /* |
1146 * Request ::= SEQUENCE { | 1034 * Request ::= SEQUENCE { |
1147 * reqCert CertID, | 1035 * reqCert CertID, |
1148 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | 1036 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } |
1149 * | 1037 * |
1150 * Note: this should be static but the AIX compiler doesn't like it (because it | 1038 * Note: this should be static but the AIX compiler doesn't like it (because it |
1151 * was forward-declared above); it is not meant to be exported, but this | 1039 * was forward-declared above); it is not meant to be exported, but this |
1152 * is the only way it will compile. | 1040 * is the only way it will compile. |
1153 */ | 1041 */ |
1154 const SEC_ASN1Template ocsp_SingleRequestTemplate[] = { | 1042 const SEC_ASN1Template ocsp_SingleRequestTemplate[] = { |
1155 { SEC_ASN1_SEQUENCE, | 1043 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspSingleRequest)}, |
1156 » 0, NULL, sizeof(ocspSingleRequest) }, | 1044 {SEC_ASN1_POINTER, offsetof(ocspSingleRequest, reqCert), |
1157 { SEC_ASN1_POINTER, | 1045 ocsp_CertIDTemplate}, |
1158 » offsetof(ocspSingleRequest, reqCert), | 1046 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1159 » ocsp_CertIDTemplate }, | 1047 SEC_ASN1_CONTEXT_SPECIFIC | 0, |
1160 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1048 offsetof(ocspSingleRequest, singleRequestExtensions), |
1161 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | 1049 CERT_SequenceOfCertExtensionTemplate}, |
1162 » offsetof(ocspSingleRequest, singleRequestExtensions), | 1050 {0}}; |
1163 » CERT_SequenceOfCertExtensionTemplate }, | |
1164 { 0 } | |
1165 }; | |
1166 | |
1167 | 1051 |
1168 /* | 1052 /* |
1169 * This data structure and template (CertID) is used by both OCSP | 1053 * This data structure and template (CertID) is used by both OCSP |
1170 * requests and responses. It is the only one that is shared. | 1054 * requests and responses. It is the only one that is shared. |
1171 * | 1055 * |
1172 * CertID ::= SEQUENCE { | 1056 * CertID ::= SEQUENCE { |
1173 * hashAlgorithm AlgorithmIdentifier, | 1057 * hashAlgorithm AlgorithmIdentifier, |
1174 * issuerNameHash OCTET STRING, -- Hash of Issuer DN | 1058 * issuerNameHash OCTET STRING, -- Hash of Issuer DN |
1175 * issuerKeyHash OCTET STRING, -- Hash of Issuer public key | 1059 * issuerKeyHash OCTET STRING, -- Hash of Issuer public key |
1176 * serialNumber CertificateSerialNumber } | 1060 * serialNumber CertificateSerialNumber } |
1177 * | 1061 * |
1178 * CertificateSerialNumber ::= INTEGER | 1062 * CertificateSerialNumber ::= INTEGER |
1179 * | 1063 * |
1180 * Note: this should be static but the AIX compiler doesn't like it (because it | 1064 * Note: this should be static but the AIX compiler doesn't like it (because it |
1181 * was forward-declared above); it is not meant to be exported, but this | 1065 * was forward-declared above); it is not meant to be exported, but this |
1182 * is the only way it will compile. | 1066 * is the only way it will compile. |
1183 */ | 1067 */ |
1184 const SEC_ASN1Template ocsp_CertIDTemplate[] = { | 1068 const SEC_ASN1Template ocsp_CertIDTemplate[] = { |
1185 { SEC_ASN1_SEQUENCE, | 1069 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTOCSPCertID)}, |
1186 » 0, NULL, sizeof(CERTOCSPCertID) }, | 1070 {SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(CERTOCSPCertID, hashAlgorithm), |
1187 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | 1071 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate)}, |
1188 » offsetof(CERTOCSPCertID, hashAlgorithm), | 1072 {SEC_ASN1_OCTET_STRING, offsetof(CERTOCSPCertID, issuerNameHash)}, |
1189 » SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | 1073 {SEC_ASN1_OCTET_STRING, offsetof(CERTOCSPCertID, issuerKeyHash)}, |
1190 { SEC_ASN1_OCTET_STRING, | 1074 {SEC_ASN1_INTEGER, offsetof(CERTOCSPCertID, serialNumber)}, {0}}; |
1191 » offsetof(CERTOCSPCertID, issuerNameHash) }, | |
1192 { SEC_ASN1_OCTET_STRING, | |
1193 » offsetof(CERTOCSPCertID, issuerKeyHash) }, | |
1194 { SEC_ASN1_INTEGER, | |
1195 » offsetof(CERTOCSPCertID, serialNumber) }, | |
1196 { 0 } | |
1197 }; | |
1198 | |
1199 | 1075 |
1200 /* | 1076 /* |
1201 * Response-related templates... | 1077 * Response-related templates... |
1202 */ | 1078 */ |
1203 | 1079 |
1204 /* | 1080 /* |
1205 * OCSPResponse ::= SEQUENCE { | 1081 * OCSPResponse ::= SEQUENCE { |
1206 * responseStatus OCSPResponseStatus, | 1082 * responseStatus OCSPResponseStatus, |
1207 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | 1083 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } |
1208 */ | 1084 */ |
1209 const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = { | 1085 const SEC_ASN1Template ocsp_OCSPResponseTemplate[] = { |
1210 { SEC_ASN1_SEQUENCE, | 1086 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTOCSPResponse)}, |
1211 » 0, NULL, sizeof(CERTOCSPResponse) }, | 1087 {SEC_ASN1_ENUMERATED, offsetof(CERTOCSPResponse, responseStatus)}, |
1212 { SEC_ASN1_ENUMERATED, | 1088 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1213 » offsetof(CERTOCSPResponse, responseStatus) }, | 1089 SEC_ASN1_CONTEXT_SPECIFIC | 0, |
1214 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1090 offsetof(CERTOCSPResponse, responseBytes), |
1215 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, | 1091 ocsp_PointerToResponseBytesTemplate}, |
1216 » offsetof(CERTOCSPResponse, responseBytes), | 1092 {0}}; |
1217 » ocsp_PointerToResponseBytesTemplate }, | |
1218 { 0 } | |
1219 }; | |
1220 | 1093 |
1221 /* | 1094 /* |
1222 * ResponseBytes ::= SEQUENCE { | 1095 * ResponseBytes ::= SEQUENCE { |
1223 * responseType OBJECT IDENTIFIER, | 1096 * responseType OBJECT IDENTIFIER, |
1224 * response OCTET STRING } | 1097 * response OCTET STRING } |
1225 */ | 1098 */ |
1226 const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = { | 1099 const SEC_ASN1Template ocsp_ResponseBytesTemplate[] = { |
1227 { SEC_ASN1_SEQUENCE, | 1100 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspResponseBytes)}, |
1228 » 0, NULL, sizeof(ocspResponseBytes) }, | 1101 {SEC_ASN1_OBJECT_ID, offsetof(ocspResponseBytes, responseType)}, |
1229 { SEC_ASN1_OBJECT_ID, | 1102 {SEC_ASN1_OCTET_STRING, offsetof(ocspResponseBytes, response)}, |
1230 » offsetof(ocspResponseBytes, responseType) }, | 1103 {0}}; |
1231 { SEC_ASN1_OCTET_STRING, | |
1232 » offsetof(ocspResponseBytes, response) }, | |
1233 { 0 } | |
1234 }; | |
1235 | 1104 |
1236 /* | 1105 /* |
1237 * This template is just an extra level to use in an explicitly-tagged | 1106 * This template is just an extra level to use in an explicitly-tagged |
1238 * reference to a ResponseBytes. | 1107 * reference to a ResponseBytes. |
1239 * | 1108 * |
1240 * Note: this should be static but the AIX compiler doesn't like it (because it | 1109 * Note: this should be static but the AIX compiler doesn't like it (because it |
1241 * was forward-declared above); it is not meant to be exported, but this | 1110 * was forward-declared above); it is not meant to be exported, but this |
1242 * is the only way it will compile. | 1111 * is the only way it will compile. |
1243 */ | 1112 */ |
1244 const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = { | 1113 const SEC_ASN1Template ocsp_PointerToResponseBytesTemplate[] = { |
1245 { SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate } | 1114 {SEC_ASN1_POINTER, 0, ocsp_ResponseBytesTemplate}}; |
1246 }; | |
1247 | 1115 |
1248 /* | 1116 /* |
1249 * BasicOCSPResponse ::= SEQUENCE { | 1117 * BasicOCSPResponse ::= SEQUENCE { |
1250 * tbsResponseData ResponseData, | 1118 * tbsResponseData ResponseData, |
1251 * signatureAlgorithm AlgorithmIdentifier, | 1119 * signatureAlgorithm AlgorithmIdentifier, |
1252 * signature BIT STRING, | 1120 * signature BIT STRING, |
1253 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | 1121 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } |
1254 */ | 1122 */ |
1255 static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = { | 1123 static const SEC_ASN1Template ocsp_BasicOCSPResponseTemplate[] = { |
1256 { SEC_ASN1_SEQUENCE, | 1124 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspBasicOCSPResponse)}, |
1257 » 0, NULL, sizeof(ocspBasicOCSPResponse) }, | 1125 {SEC_ASN1_ANY | SEC_ASN1_SAVE, |
1258 { SEC_ASN1_ANY | SEC_ASN1_SAVE, | 1126 offsetof(ocspBasicOCSPResponse, tbsResponseDataDER)}, |
1259 » offsetof(ocspBasicOCSPResponse, tbsResponseDataDER) }, | 1127 {SEC_ASN1_POINTER, offsetof(ocspBasicOCSPResponse, tbsResponseData), |
1260 { SEC_ASN1_POINTER, | 1128 ocsp_ResponseDataTemplate}, |
1261 » offsetof(ocspBasicOCSPResponse, tbsResponseData), | 1129 {SEC_ASN1_INLINE | SEC_ASN1_XTRN, |
1262 » ocsp_ResponseDataTemplate }, | 1130 offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), |
1263 { SEC_ASN1_INLINE | SEC_ASN1_XTRN, | 1131 SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate)}, |
1264 » offsetof(ocspBasicOCSPResponse, responseSignature.signatureAlgorithm), | 1132 {SEC_ASN1_BIT_STRING, |
1265 » SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, | 1133 offsetof(ocspBasicOCSPResponse, responseSignature.signature)}, |
1266 { SEC_ASN1_BIT_STRING, | 1134 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1267 » offsetof(ocspBasicOCSPResponse, responseSignature.signature) }, | 1135 SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1268 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1136 offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), |
1269 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 1137 SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate)}, |
1270 » offsetof(ocspBasicOCSPResponse, responseSignature.derCerts), | 1138 {0}}; |
1271 » SEC_ASN1_SUB(SEC_SequenceOfAnyTemplate) }, | |
1272 { 0 } | |
1273 }; | |
1274 | 1139 |
1275 /* | 1140 /* |
1276 * ResponseData ::= SEQUENCE { | 1141 * ResponseData ::= SEQUENCE { |
1277 * version [0] EXPLICIT Version DEFAULT v1, | 1142 * version [0] EXPLICIT Version DEFAULT v1, |
1278 * responderID ResponderID, | 1143 * responderID ResponderID, |
1279 * producedAt GeneralizedTime, | 1144 * producedAt GeneralizedTime, |
1280 * responses SEQUENCE OF SingleResponse, | 1145 * responses SEQUENCE OF SingleResponse, |
1281 * responseExtensions [1] EXPLICIT Extensions OPTIONAL } | 1146 * responseExtensions [1] EXPLICIT Extensions OPTIONAL } |
1282 * | 1147 * |
1283 * Note: this should be static but the AIX compiler doesn't like it (because it | 1148 * Note: this should be static but the AIX compiler doesn't like it (because it |
1284 * was forward-declared above); it is not meant to be exported, but this | 1149 * was forward-declared above); it is not meant to be exported, but this |
1285 * is the only way it will compile. | 1150 * is the only way it will compile. |
1286 */ | 1151 */ |
1287 const SEC_ASN1Template ocsp_ResponseDataTemplate[] = { | 1152 const SEC_ASN1Template ocsp_ResponseDataTemplate[] = { |
1288 { SEC_ASN1_SEQUENCE, | 1153 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspResponseData)}, |
1289 » 0, NULL, sizeof(ocspResponseData) }, | 1154 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | /* XXX DER_DEFAULT */ |
1290 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT |» » /* XXX DER_DEFAULT */ | 1155 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1291 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 1156 offsetof(ocspResponseData, version), SEC_ASN1_SUB(SEC_IntegerTemplate)}, |
1292 » offsetof(ocspResponseData, version), | 1157 {SEC_ASN1_ANY, offsetof(ocspResponseData, derResponderID)}, |
1293 » SEC_ASN1_SUB(SEC_IntegerTemplate) }, | 1158 {SEC_ASN1_GENERALIZED_TIME, offsetof(ocspResponseData, producedAt)}, |
1294 { SEC_ASN1_ANY, | 1159 {SEC_ASN1_SEQUENCE_OF, offsetof(ocspResponseData, responses), |
1295 » offsetof(ocspResponseData, derResponderID) }, | 1160 ocsp_SingleResponseTemplate}, |
1296 { SEC_ASN1_GENERALIZED_TIME, | 1161 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1297 » offsetof(ocspResponseData, producedAt) }, | 1162 SEC_ASN1_CONTEXT_SPECIFIC | 1, |
1298 { SEC_ASN1_SEQUENCE_OF, | 1163 offsetof(ocspResponseData, responseExtensions), |
1299 » offsetof(ocspResponseData, responses), | 1164 CERT_SequenceOfCertExtensionTemplate}, |
1300 » ocsp_SingleResponseTemplate }, | 1165 {0}}; |
1301 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | |
1302 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1303 » offsetof(ocspResponseData, responseExtensions), | |
1304 » CERT_SequenceOfCertExtensionTemplate }, | |
1305 { 0 } | |
1306 }; | |
1307 | 1166 |
1308 /* | 1167 /* |
1309 * ResponderID ::= CHOICE { | 1168 * ResponderID ::= CHOICE { |
1310 * byName [1] EXPLICIT Name, | 1169 * byName [1] EXPLICIT Name, |
1311 * byKey [2] EXPLICIT KeyHash } | 1170 * byKey [2] EXPLICIT KeyHash } |
1312 * | 1171 * |
1313 * KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | 1172 * KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key |
1314 * (excluding the tag and length fields) | 1173 * (excluding the tag and length fields) |
1315 * | 1174 * |
1316 * XXX Because the ASN.1 encoder and decoder currently do not provide | 1175 * XXX Because the ASN.1 encoder and decoder currently do not provide |
1317 * a way to automatically handle a CHOICE, we need to do it in two | 1176 * a way to automatically handle a CHOICE, we need to do it in two |
1318 * steps, looking at the type tag and feeding the exact choice back | 1177 * steps, looking at the type tag and feeding the exact choice back |
1319 * to the ASN.1 code. Hopefully that will change someday and this | 1178 * to the ASN.1 code. Hopefully that will change someday and this |
1320 * can all be simplified down into a single template. Anyway, for | 1179 * can all be simplified down into a single template. Anyway, for |
1321 * now we list each choice as its own template: | 1180 * now we list each choice as its own template: |
1322 */ | 1181 */ |
1323 const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = { | 1182 const SEC_ASN1Template ocsp_ResponderIDByNameTemplate[] = { |
1324 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | 1183 {SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, |
1325 » offsetof(ocspResponderID, responderIDValue.name), | 1184 offsetof(ocspResponderID, responderIDValue.name), CERT_NameTemplate}}; |
1326 » CERT_NameTemplate } | |
1327 }; | |
1328 const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = { | 1185 const SEC_ASN1Template ocsp_ResponderIDByKeyTemplate[] = { |
1329 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | 1186 {SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | |
1330 SEC_ASN1_XTRN | 2, | 1187 SEC_ASN1_XTRN | 2, |
1331 » offsetof(ocspResponderID, responderIDValue.keyHash), | 1188 offsetof(ocspResponderID, responderIDValue.keyHash), |
1332 » SEC_ASN1_SUB(SEC_OctetStringTemplate) } | 1189 SEC_ASN1_SUB(SEC_OctetStringTemplate)}}; |
1333 }; | |
1334 static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = { | 1190 static const SEC_ASN1Template ocsp_ResponderIDOtherTemplate[] = { |
1335 { SEC_ASN1_ANY, | 1191 {SEC_ASN1_ANY, offsetof(ocspResponderID, responderIDValue.other)}}; |
1336 » offsetof(ocspResponderID, responderIDValue.other) } | |
1337 }; | |
1338 | 1192 |
1339 /* Decode choice container, but leave x509 name object encoded */ | 1193 /* Decode choice container, but leave x509 name object encoded */ |
1340 static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = { | 1194 static const SEC_ASN1Template ocsp_ResponderIDDerNameTemplate[] = { |
1341 { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | 1195 {SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | |
1342 SEC_ASN1_XTRN | 1, 0, SEC_ASN1_SUB(SEC_AnyTemplate) } | 1196 SEC_ASN1_XTRN | 1, |
1343 }; | 1197 0, SEC_ASN1_SUB(SEC_AnyTemplate)}}; |
1344 | 1198 |
1345 /* | 1199 /* |
1346 * SingleResponse ::= SEQUENCE { | 1200 * SingleResponse ::= SEQUENCE { |
1347 * certID CertID, | 1201 * certID CertID, |
1348 * certStatus CertStatus, | 1202 * certStatus CertStatus, |
1349 * thisUpdate GeneralizedTime, | 1203 * thisUpdate GeneralizedTime, |
1350 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | 1204 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, |
1351 * singleExtensions [1] EXPLICIT Extensions OPTIONAL } | 1205 * singleExtensions [1] EXPLICIT Extensions OPTIONAL } |
1352 * | 1206 * |
1353 * Note: this should be static but the AIX compiler doesn't like it (because it | 1207 * Note: this should be static but the AIX compiler doesn't like it (because it |
1354 * was forward-declared above); it is not meant to be exported, but this | 1208 * was forward-declared above); it is not meant to be exported, but this |
1355 * is the only way it will compile. | 1209 * is the only way it will compile. |
1356 */ | 1210 */ |
1357 const SEC_ASN1Template ocsp_SingleResponseTemplate[] = { | 1211 const SEC_ASN1Template ocsp_SingleResponseTemplate[] = { |
1358 { SEC_ASN1_SEQUENCE, | 1212 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTOCSPSingleResponse)}, |
1359 » 0, NULL, sizeof(CERTOCSPSingleResponse) }, | 1213 {SEC_ASN1_POINTER, offsetof(CERTOCSPSingleResponse, certID), |
1360 { SEC_ASN1_POINTER, | 1214 ocsp_CertIDTemplate}, |
1361 » offsetof(CERTOCSPSingleResponse, certID), | 1215 {SEC_ASN1_ANY, offsetof(CERTOCSPSingleResponse, derCertStatus)}, |
1362 » ocsp_CertIDTemplate }, | 1216 {SEC_ASN1_GENERALIZED_TIME, offsetof(CERTOCSPSingleResponse, thisUpdate)}, |
1363 { SEC_ASN1_ANY, | 1217 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1364 » offsetof(CERTOCSPSingleResponse, derCertStatus) }, | 1218 SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1365 { SEC_ASN1_GENERALIZED_TIME, | 1219 offsetof(CERTOCSPSingleResponse, nextUpdate), |
1366 » offsetof(CERTOCSPSingleResponse, thisUpdate) }, | 1220 SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate)}, |
1367 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1221 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1368 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 1222 SEC_ASN1_CONTEXT_SPECIFIC | 1, |
1369 » offsetof(CERTOCSPSingleResponse, nextUpdate), | 1223 offsetof(CERTOCSPSingleResponse, singleExtensions), |
1370 » SEC_ASN1_SUB(SEC_PointerToGeneralizedTimeTemplate) }, | 1224 CERT_SequenceOfCertExtensionTemplate}, |
1371 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1225 {0}}; |
1372 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, | |
1373 » offsetof(CERTOCSPSingleResponse, singleExtensions), | |
1374 » CERT_SequenceOfCertExtensionTemplate }, | |
1375 { 0 } | |
1376 }; | |
1377 | 1226 |
1378 /* | 1227 /* |
1379 * CertStatus ::= CHOICE { | 1228 * CertStatus ::= CHOICE { |
1380 * good [0] IMPLICIT NULL, | 1229 * good [0] IMPLICIT NULL, |
1381 * revoked [1] IMPLICIT RevokedInfo, | 1230 * revoked [1] IMPLICIT RevokedInfo, |
1382 * unknown [2] IMPLICIT UnknownInfo } | 1231 * unknown [2] IMPLICIT UnknownInfo } |
1383 * | 1232 * |
1384 * Because the ASN.1 encoder and decoder currently do not provide | 1233 * Because the ASN.1 encoder and decoder currently do not provide |
1385 * a way to automatically handle a CHOICE, we need to do it in two | 1234 * a way to automatically handle a CHOICE, we need to do it in two |
1386 * steps, looking at the type tag and feeding the exact choice back | 1235 * steps, looking at the type tag and feeding the exact choice back |
1387 * to the ASN.1 code. Hopefully that will change someday and this | 1236 * to the ASN.1 code. Hopefully that will change someday and this |
1388 * can all be simplified down into a single template. Anyway, for | 1237 * can all be simplified down into a single template. Anyway, for |
1389 * now we list each choice as its own template: | 1238 * now we list each choice as its own template: |
1390 */ | 1239 */ |
1391 static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = { | 1240 static const SEC_ASN1Template ocsp_CertStatusGoodTemplate[] = { |
1392 { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, | 1241 {SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1393 » offsetof(ocspCertStatus, certStatusInfo.goodInfo), | 1242 offsetof(ocspCertStatus, certStatusInfo.goodInfo), |
1394 » SEC_ASN1_SUB(SEC_NullTemplate) } | 1243 SEC_ASN1_SUB(SEC_NullTemplate)}}; |
1395 }; | |
1396 static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = { | 1244 static const SEC_ASN1Template ocsp_CertStatusRevokedTemplate[] = { |
1397 { SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1,· | 1245 {SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, |
1398 » offsetof(ocspCertStatus, certStatusInfo.revokedInfo), | 1246 offsetof(ocspCertStatus, certStatusInfo.revokedInfo), |
1399 » ocsp_RevokedInfoTemplate } | 1247 ocsp_RevokedInfoTemplate}}; |
1400 }; | |
1401 static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = { | 1248 static const SEC_ASN1Template ocsp_CertStatusUnknownTemplate[] = { |
1402 { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, | 1249 {SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2, |
1403 » offsetof(ocspCertStatus, certStatusInfo.unknownInfo), | 1250 offsetof(ocspCertStatus, certStatusInfo.unknownInfo), |
1404 » SEC_ASN1_SUB(SEC_NullTemplate) } | 1251 SEC_ASN1_SUB(SEC_NullTemplate)}}; |
1405 }; | |
1406 static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = { | 1252 static const SEC_ASN1Template ocsp_CertStatusOtherTemplate[] = { |
1407 { SEC_ASN1_POINTER | SEC_ASN1_XTRN, | 1253 {SEC_ASN1_POINTER | SEC_ASN1_XTRN, |
1408 » offsetof(ocspCertStatus, certStatusInfo.otherInfo), | 1254 offsetof(ocspCertStatus, certStatusInfo.otherInfo), |
1409 » SEC_ASN1_SUB(SEC_AnyTemplate) } | 1255 SEC_ASN1_SUB(SEC_AnyTemplate)}}; |
1410 }; | |
1411 | 1256 |
1412 /* | 1257 /* |
1413 * RevokedInfo ::= SEQUENCE { | 1258 * RevokedInfo ::= SEQUENCE { |
1414 * revocationTime GeneralizedTime, | 1259 * revocationTime GeneralizedTime, |
1415 * revocationReason [0] EXPLICIT CRLReason OPTIONAL } | 1260 * revocationReason [0] EXPLICIT CRLReason OPTIONAL } |
1416 * | 1261 * |
1417 * Note: this should be static but the AIX compiler doesn't like it (because it | 1262 * Note: this should be static but the AIX compiler doesn't like it (because it |
1418 * was forward-declared above); it is not meant to be exported, but this | 1263 * was forward-declared above); it is not meant to be exported, but this |
1419 * is the only way it will compile. | 1264 * is the only way it will compile. |
1420 */ | 1265 */ |
1421 const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = { | 1266 const SEC_ASN1Template ocsp_RevokedInfoTemplate[] = { |
1422 { SEC_ASN1_SEQUENCE, | 1267 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspRevokedInfo)}, |
1423 » 0, NULL, sizeof(ocspRevokedInfo) }, | 1268 {SEC_ASN1_GENERALIZED_TIME, offsetof(ocspRevokedInfo, revocationTime)}, |
1424 { SEC_ASN1_GENERALIZED_TIME, | 1269 {SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
1425 » offsetof(ocspRevokedInfo, revocationTime) }, | 1270 SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, |
1426 { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | | 1271 offsetof(ocspRevokedInfo, revocationReason), |
1427 SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | | 1272 SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate)}, |
1428 SEC_ASN1_XTRN | 0, | 1273 {0}}; |
1429 » offsetof(ocspRevokedInfo, revocationReason),· | |
1430 » SEC_ASN1_SUB(SEC_PointerToEnumeratedTemplate) }, | |
1431 { 0 } | |
1432 }; | |
1433 | |
1434 | 1274 |
1435 /* | 1275 /* |
1436 * OCSP-specific extension templates: | 1276 * OCSP-specific extension templates: |
1437 */ | 1277 */ |
1438 | 1278 |
1439 /* | 1279 /* |
1440 * ServiceLocator ::= SEQUENCE { | 1280 * ServiceLocator ::= SEQUENCE { |
1441 * issuer Name, | 1281 * issuer Name, |
1442 * locator AuthorityInfoAccessSyntax OPTIONAL } | 1282 * locator AuthorityInfoAccessSyntax OPTIONAL } |
1443 */ | 1283 */ |
1444 static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = { | 1284 static const SEC_ASN1Template ocsp_ServiceLocatorTemplate[] = { |
1445 { SEC_ASN1_SEQUENCE, | 1285 {SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ocspServiceLocator)}, |
1446 » 0, NULL, sizeof(ocspServiceLocator) }, | 1286 {SEC_ASN1_POINTER, offsetof(ocspServiceLocator, issuer), CERT_NameTemplate}, |
1447 { SEC_ASN1_POINTER, | 1287 {SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, offsetof(ocspServiceLocator, locator)}, |
1448 » offsetof(ocspServiceLocator, issuer), | 1288 {0}}; |
1449 » CERT_NameTemplate }, | |
1450 { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, | |
1451 » offsetof(ocspServiceLocator, locator) }, | |
1452 { 0 } | |
1453 }; | |
1454 | |
1455 | 1289 |
1456 /* | 1290 /* |
1457 * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy): | 1291 * REQUEST SUPPORT FUNCTIONS (encode/create/decode/destroy): |
1458 */ | 1292 */ |
1459 | 1293 |
1460 /* | 1294 /* |
1461 * FUNCTION: CERT_EncodeOCSPRequest | 1295 * FUNCTION: CERT_EncodeOCSPRequest |
1462 * DER encodes an OCSP Request, possibly adding a signature as well. | 1296 * DER encodes an OCSP Request, possibly adding a signature as well. |
1463 * XXX Signing is not yet supported, however; see comments in code. | 1297 * XXX Signing is not yet supported, however; see comments in code. |
1464 * INPUTS: | 1298 * INPUTS: |
1465 * PLArenaPool *arena | 1299 * PLArenaPool *arena |
1466 * The return value is allocated from here. | 1300 * The return value is allocated from here. |
1467 * If a NULL is passed in, allocation is done from the heap instead. | 1301 * If a NULL is passed in, allocation is done from the heap instead. |
1468 * CERTOCSPRequest *request | 1302 * CERTOCSPRequest *request |
1469 * The request to be encoded. | 1303 * The request to be encoded. |
1470 * void *pwArg | 1304 * void *pwArg |
1471 * Pointer to argument for password prompting, if needed. (Definitely | 1305 * Pointer to argument for password prompting, if needed. (Definitely |
1472 * not needed if not signing.) | 1306 * not needed if not signing.) |
1473 * RETURN: | 1307 * RETURN: |
1474 * Returns a NULL on error and a pointer to the SECItem with the | 1308 * Returns a NULL on error and a pointer to the SECItem with the |
1475 * encoded value otherwise. Any error is likely to be low-level | 1309 * encoded value otherwise. Any error is likely to be low-level |
1476 * (e.g. no memory). | 1310 * (e.g. no memory). |
1477 */ | 1311 */ |
1478 SECItem * | 1312 SECItem *CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, |
1479 CERT_EncodeOCSPRequest(PLArenaPool *arena, CERTOCSPRequest *request, | 1313 void *pwArg) { |
1480 » » void *pwArg) | 1314 SECStatus rv; |
1481 { | 1315 |
1482 SECStatus rv; | 1316 /* XXX All of these should generate errors if they fail. */ |
1483 | 1317 PORT_Assert(request); |
1484 /* XXX All of these should generate errors if they fail. */ | 1318 PORT_Assert(request->tbsRequest); |
1485 PORT_Assert(request); | 1319 |
1486 PORT_Assert(request->tbsRequest); | 1320 if (request->tbsRequest->extensionHandle != NULL) { |
1487 | 1321 rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle); |
1488 if (request->tbsRequest->extensionHandle != NULL) { | 1322 request->tbsRequest->extensionHandle = NULL; |
1489 » rv = CERT_FinishExtensions(request->tbsRequest->extensionHandle); | 1323 if (rv != SECSuccess) return NULL; |
1490 » request->tbsRequest->extensionHandle = NULL; | 1324 } |
1491 » if (rv != SECSuccess) | 1325 |
1492 » return NULL; | 1326 /* |
1493 } | 1327 * XXX When signed requests are supported and request->optionalSignature |
1494 | 1328 * is not NULL: |
1495 /* | 1329 * - need to encode tbsRequest->requestorName |
1496 * XXX When signed requests are supported and request->optionalSignature | 1330 * - need to encode tbsRequest |
1497 * is not NULL: | 1331 * - need to sign that encoded result (using cert in sig), filling in the |
1498 * - need to encode tbsRequest->requestorName | 1332 * request->optionalSignature structure with the result, the signing |
1499 * - need to encode tbsRequest | 1333 * algorithm and (perhaps?) the cert (and its chain?) in derCerts |
1500 * - need to sign that encoded result (using cert in sig), filling in the | 1334 */ |
1501 * request->optionalSignature structure with the result, the signing | 1335 |
1502 * algorithm and (perhaps?) the cert (and its chain?) in derCerts | 1336 return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate); |
1503 */ | 1337 } |
1504 | |
1505 return SEC_ASN1EncodeItem(arena, NULL, request, ocsp_OCSPRequestTemplate); | |
1506 } | |
1507 | |
1508 | 1338 |
1509 /* | 1339 /* |
1510 * FUNCTION: CERT_DecodeOCSPRequest | 1340 * FUNCTION: CERT_DecodeOCSPRequest |
1511 * Decode a DER encoded OCSP Request. | 1341 * Decode a DER encoded OCSP Request. |
1512 * INPUTS: | 1342 * INPUTS: |
1513 * SECItem *src | 1343 * SECItem *src |
1514 * Pointer to a SECItem holding DER encoded OCSP Request. | 1344 * Pointer to a SECItem holding DER encoded OCSP Request. |
1515 * RETURN: | 1345 * RETURN: |
1516 * Returns a pointer to a CERTOCSPRequest containing the decoded request. | 1346 * Returns a pointer to a CERTOCSPRequest containing the decoded request. |
1517 * On error, returns NULL. Most likely error is trouble decoding | 1347 * On error, returns NULL. Most likely error is trouble decoding |
1518 * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). | 1348 * (SEC_ERROR_OCSP_MALFORMED_REQUEST), or low-level problem (no memory). |
1519 */ | 1349 */ |
1520 CERTOCSPRequest * | 1350 CERTOCSPRequest *CERT_DecodeOCSPRequest(const SECItem *src) { |
1521 CERT_DecodeOCSPRequest(const SECItem *src) | 1351 PLArenaPool *arena = NULL; |
1522 { | 1352 SECStatus rv = SECFailure; |
1523 PLArenaPool *arena = NULL; | 1353 CERTOCSPRequest *dest = NULL; |
1524 SECStatus rv = SECFailure; | 1354 int i; |
1525 CERTOCSPRequest *dest = NULL; | 1355 SECItem newSrc; |
1526 int i; | 1356 |
1527 SECItem newSrc; | 1357 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
1528 | 1358 if (arena == NULL) { |
1529 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 1359 goto loser; |
1530 if (arena == NULL) { | 1360 } |
1531 » goto loser; | 1361 dest = (CERTOCSPRequest *)PORT_ArenaZAlloc(arena, sizeof(CERTOCSPRequest)); |
1532 } | 1362 if (dest == NULL) { |
1533 dest = (CERTOCSPRequest *) PORT_ArenaZAlloc(arena, | 1363 goto loser; |
1534 » » » » » » sizeof(CERTOCSPRequest)); | 1364 } |
1535 if (dest == NULL) { | 1365 dest->arena = arena; |
1536 » goto loser; | 1366 |
1537 } | 1367 /* copy the DER into the arena, since Quick DER returns data that points |
1538 dest->arena = arena; | 1368 into the DER input, which may get freed by the caller */ |
1539 | 1369 rv = SECITEM_CopyItem(arena, &newSrc, src); |
1540 /* copy the DER into the arena, since Quick DER returns data that points | 1370 if (rv != SECSuccess) { |
1541 into the DER input, which may get freed by the caller */ | 1371 goto loser; |
1542 rv = SECITEM_CopyItem(arena, &newSrc, src); | 1372 } |
1543 if ( rv != SECSuccess ) { | 1373 |
1544 » goto loser; | 1374 rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc); |
1545 } | 1375 if (rv != SECSuccess) { |
1546 | 1376 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
1547 rv = SEC_QuickDERDecodeItem(arena, dest, ocsp_OCSPRequestTemplate, &newSrc); | 1377 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); |
1548 if (rv != SECSuccess) { | 1378 goto loser; |
1549 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | 1379 } |
1550 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | 1380 |
1551 » goto loser; | 1381 /* |
1552 } | 1382 * XXX I would like to find a way to get rid of the necessity |
1553 | 1383 * of doing this copying of the arena pointer. |
1554 /* | 1384 */ |
1555 * XXX I would like to find a way to get rid of the necessity | 1385 for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) { |
1556 * of doing this copying of the arena pointer. | 1386 dest->tbsRequest->requestList[i]->arena = arena; |
1557 */ | 1387 } |
1558 for (i = 0; dest->tbsRequest->requestList[i] != NULL; i++) { | 1388 |
1559 » dest->tbsRequest->requestList[i]->arena = arena; | 1389 return dest; |
1560 } | |
1561 | |
1562 return dest; | |
1563 | 1390 |
1564 loser: | 1391 loser: |
1565 if (arena != NULL) { | 1392 if (arena != NULL) { |
1566 » PORT_FreeArena(arena, PR_FALSE); | 1393 PORT_FreeArena(arena, PR_FALSE); |
1567 } | 1394 } |
1568 return NULL; | 1395 return NULL; |
1569 } | 1396 } |
1570 | 1397 |
1571 SECStatus | 1398 SECStatus CERT_DestroyOCSPCertID(CERTOCSPCertID *certID) { |
1572 CERT_DestroyOCSPCertID(CERTOCSPCertID* certID) | 1399 if (certID && certID->poolp) { |
1573 { | 1400 PORT_FreeArena(certID->poolp, PR_FALSE); |
1574 if (certID && certID->poolp) { | 1401 return SECSuccess; |
1575 » PORT_FreeArena(certID->poolp, PR_FALSE); | 1402 } |
1576 » return SECSuccess; | 1403 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
1577 } | 1404 return SECFailure; |
1578 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1579 return SECFailure; | |
1580 } | 1405 } |
1581 | 1406 |
1582 /* | 1407 /* |
1583 * Digest data using the specified algorithm. | 1408 * Digest data using the specified algorithm. |
1584 * The necessary storage for the digest data is allocated. If "fill" is | 1409 * The necessary storage for the digest data is allocated. If "fill" is |
1585 * non-null, the data is put there, otherwise a SECItem is allocated. | 1410 * non-null, the data is put there, otherwise a SECItem is allocated. |
1586 * Allocation from "arena" if it is non-null, heap otherwise. Any problem | 1411 * Allocation from "arena" if it is non-null, heap otherwise. Any problem |
1587 * results in a NULL being returned (and an appropriate error set). | 1412 * results in a NULL being returned (and an appropriate error set). |
1588 */ | 1413 */ |
1589 | 1414 |
1590 SECItem * | 1415 SECItem *ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg, |
1591 ocsp_DigestValue(PLArenaPool *arena, SECOidTag digestAlg,· | 1416 SECItem *fill, const SECItem *src) { |
1592 SECItem *fill, const SECItem *src) | 1417 const SECHashObject *digestObject; |
1593 { | 1418 SECItem *result = NULL; |
1594 const SECHashObject *digestObject; | 1419 void *mark = NULL; |
1595 SECItem *result = NULL; | 1420 void *digestBuff = NULL; |
1596 void *mark = NULL; | 1421 |
1597 void *digestBuff = NULL; | 1422 if (arena != NULL) { |
1598 | 1423 mark = PORT_ArenaMark(arena); |
1599 if ( arena != NULL ) { | 1424 } |
1600 mark = PORT_ArenaMark(arena); | 1425 |
| 1426 digestObject = HASH_GetHashObjectByOidTag(digestAlg); |
| 1427 if (digestObject == NULL) { |
| 1428 goto loser; |
| 1429 } |
| 1430 |
| 1431 if (fill == NULL || fill->data == NULL) { |
| 1432 result = SECITEM_AllocItem(arena, fill, digestObject->length); |
| 1433 if (result == NULL) { |
| 1434 goto loser; |
1601 } | 1435 } |
1602 | 1436 digestBuff = result->data; |
1603 digestObject = HASH_GetHashObjectByOidTag(digestAlg); | 1437 } else { |
1604 if ( digestObject == NULL ) { | 1438 if (fill->len < digestObject->length) { |
1605 goto loser; | 1439 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1440 goto loser; |
1606 } | 1441 } |
1607 | 1442 digestBuff = fill->data; |
1608 if (fill == NULL || fill->data == NULL) { | 1443 } |
1609 » result = SECITEM_AllocItem(arena, fill, digestObject->length); | 1444 |
1610 » if ( result == NULL ) { | 1445 if (PK11_HashBuf(digestAlg, digestBuff, src->data, src->len) != SECSuccess) { |
1611 » goto loser; | 1446 goto loser; |
1612 » } | 1447 } |
1613 » digestBuff = result->data; | 1448 |
1614 } else { | 1449 if (arena != NULL) { |
1615 » if (fill->len < digestObject->length) { | 1450 PORT_ArenaUnmark(arena, mark); |
1616 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1451 } |
1617 » goto loser; | 1452 |
1618 » } | 1453 if (result == NULL) { |
1619 » digestBuff = fill->data; | 1454 result = fill; |
| 1455 } |
| 1456 return result; |
| 1457 |
| 1458 loser: |
| 1459 if (arena != NULL) { |
| 1460 PORT_ArenaRelease(arena, mark); |
| 1461 } else { |
| 1462 if (result != NULL) { |
| 1463 SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE); |
1620 } | 1464 } |
1621 | 1465 } |
1622 if (PK11_HashBuf(digestAlg, digestBuff, | 1466 return (NULL); |
1623 src->data, src->len) != SECSuccess) { | |
1624 goto loser; | |
1625 } | |
1626 | |
1627 if ( arena != NULL ) { | |
1628 PORT_ArenaUnmark(arena, mark); | |
1629 } | |
1630 | |
1631 if (result == NULL) { | |
1632 result = fill; | |
1633 } | |
1634 return result; | |
1635 | |
1636 loser: | |
1637 if (arena != NULL) { | |
1638 PORT_ArenaRelease(arena, mark); | |
1639 } else { | |
1640 if (result != NULL) { | |
1641 SECITEM_FreeItem(result, (fill == NULL) ? PR_TRUE : PR_FALSE); | |
1642 } | |
1643 } | |
1644 return(NULL); | |
1645 } | 1467 } |
1646 | 1468 |
1647 /* | 1469 /* |
1648 * Digest the cert's subject public key using the specified algorithm. | 1470 * Digest the cert's subject public key using the specified algorithm. |
1649 * The necessary storage for the digest data is allocated. If "fill" is | 1471 * The necessary storage for the digest data is allocated. If "fill" is |
1650 * non-null, the data is put there, otherwise a SECItem is allocated. | 1472 * non-null, the data is put there, otherwise a SECItem is allocated. |
1651 * Allocation from "arena" if it is non-null, heap otherwise. Any problem | 1473 * Allocation from "arena" if it is non-null, heap otherwise. Any problem |
1652 * results in a NULL being returned (and an appropriate error set). | 1474 * results in a NULL being returned (and an appropriate error set). |
1653 */ | 1475 */ |
1654 SECItem * | 1476 SECItem *CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, |
1655 CERT_GetSubjectPublicKeyDigest(PLArenaPool *arena, const CERTCertificate *cert, | 1477 const CERTCertificate *cert, |
1656 SECOidTag digestAlg, SECItem *fill) | 1478 SECOidTag digestAlg, SECItem *fill) { |
1657 { | 1479 SECItem spk; |
1658 SECItem spk; | 1480 |
1659 | 1481 /* |
1660 /* | 1482 * Copy just the length and data pointer (nothing needs to be freed) |
1661 * Copy just the length and data pointer (nothing needs to be freed) | 1483 * of the subject public key so we can convert the length from bits |
1662 * of the subject public key so we can convert the length from bits | 1484 * to bytes, which is what the digest function expects. |
1663 * to bytes, which is what the digest function expects. | 1485 */ |
1664 */ | 1486 spk = cert->subjectPublicKeyInfo.subjectPublicKey; |
1665 spk = cert->subjectPublicKeyInfo.subjectPublicKey; | 1487 DER_ConvertBitString(&spk); |
1666 DER_ConvertBitString(&spk); | 1488 |
1667 | 1489 return ocsp_DigestValue(arena, digestAlg, fill, &spk); |
1668 return ocsp_DigestValue(arena, digestAlg, fill, &spk); | |
1669 } | 1490 } |
1670 | 1491 |
1671 /* | 1492 /* |
1672 * Digest the cert's subject name using the specified algorithm. | 1493 * Digest the cert's subject name using the specified algorithm. |
1673 */ | 1494 */ |
1674 SECItem * | 1495 SECItem *CERT_GetSubjectNameDigest(PLArenaPool *arena, |
1675 CERT_GetSubjectNameDigest(PLArenaPool *arena, const CERTCertificate *cert, | 1496 const CERTCertificate *cert, |
1676 SECOidTag digestAlg, SECItem *fill) | 1497 SECOidTag digestAlg, SECItem *fill) { |
1677 { | 1498 SECItem name; |
1678 SECItem name; | 1499 |
1679 | 1500 /* |
1680 /* | 1501 * Copy just the length and data pointer (nothing needs to be freed) |
1681 * Copy just the length and data pointer (nothing needs to be freed) | 1502 * of the subject name |
1682 * of the subject name | 1503 */ |
1683 */ | 1504 name = cert->derSubject; |
1684 name = cert->derSubject; | 1505 |
1685 | 1506 return ocsp_DigestValue(arena, digestAlg, fill, &name); |
1686 return ocsp_DigestValue(arena, digestAlg, fill, &name); | |
1687 } | 1507 } |
1688 | 1508 |
1689 /* | 1509 /* |
1690 * Create and fill-in a CertID. This function fills in the hash values | 1510 * Create and fill-in a CertID. This function fills in the hash values |
1691 * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1. | 1511 * (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1. |
1692 * Someday it might need to be more flexible about hash algorithm, but | 1512 * Someday it might need to be more flexible about hash algorithm, but |
1693 * for now we have no intention/need to create anything else. | 1513 * for now we have no intention/need to create anything else. |
1694 * | 1514 * |
1695 * Error causes a null to be returned; most likely cause is trouble | 1515 * Error causes a null to be returned; most likely cause is trouble |
1696 * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER). | 1516 * finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER). |
1697 * Other errors are low-level problems (no memory, bad database, etc.). | 1517 * Other errors are low-level problems (no memory, bad database, etc.). |
1698 */ | 1518 */ |
1699 static CERTOCSPCertID * | 1519 static CERTOCSPCertID *ocsp_CreateCertID(PLArenaPool *arena, |
1700 ocsp_CreateCertID(PLArenaPool *arena, CERTCertificate *cert, PRTime time) | 1520 CERTCertificate *cert, PRTime time) { |
1701 { | 1521 CERTOCSPCertID *certID; |
1702 CERTOCSPCertID *certID; | 1522 CERTCertificate *issuerCert = NULL; |
1703 CERTCertificate *issuerCert = NULL; | 1523 void *mark = PORT_ArenaMark(arena); |
1704 void *mark = PORT_ArenaMark(arena); | 1524 SECStatus rv; |
1705 SECStatus rv; | 1525 |
1706 | 1526 PORT_Assert(arena != NULL); |
1707 PORT_Assert(arena != NULL); | 1527 |
1708 | 1528 certID = PORT_ArenaZNew(arena, CERTOCSPCertID); |
1709 certID = PORT_ArenaZNew(arena, CERTOCSPCertID); | 1529 if (certID == NULL) { |
1710 if (certID == NULL) { | 1530 goto loser; |
1711 » goto loser; | 1531 } |
1712 } | 1532 |
1713 | 1533 rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1, NULL); |
1714 rv = SECOID_SetAlgorithmID(arena, &certID->hashAlgorithm, SEC_OID_SHA1, | 1534 if (rv != SECSuccess) { |
1715 » » » NULL); | 1535 goto loser; |
1716 if (rv != SECSuccess) { | 1536 } |
1717 » goto loser;· | 1537 |
1718 } | 1538 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); |
1719 | 1539 if (issuerCert == NULL) { |
1720 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); | 1540 goto loser; |
1721 if (issuerCert == NULL) { | 1541 } |
1722 » goto loser; | 1542 |
1723 } | 1543 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1, |
1724 | 1544 &(certID->issuerNameHash)) == NULL) { |
1725 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_SHA1, | 1545 goto loser; |
1726 &(certID->issuerNameHash)) == NULL) { | 1546 } |
1727 goto loser; | 1547 certID->issuerSHA1NameHash.data = certID->issuerNameHash.data; |
1728 } | 1548 certID->issuerSHA1NameHash.len = certID->issuerNameHash.len; |
1729 certID->issuerSHA1NameHash.data = certID->issuerNameHash.data; | 1549 |
1730 certID->issuerSHA1NameHash.len = certID->issuerNameHash.len; | 1550 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5, |
1731 | 1551 &(certID->issuerMD5NameHash)) == NULL) { |
1732 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD5, | 1552 goto loser; |
1733 &(certID->issuerMD5NameHash)) == NULL) { | 1553 } |
1734 goto loser; | 1554 |
1735 } | 1555 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2, |
1736 | 1556 &(certID->issuerMD2NameHash)) == NULL) { |
1737 if (CERT_GetSubjectNameDigest(arena, issuerCert, SEC_OID_MD2, | 1557 goto loser; |
1738 &(certID->issuerMD2NameHash)) == NULL) { | 1558 } |
1739 goto loser; | 1559 |
1740 } | 1560 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1, |
1741 | 1561 &certID->issuerKeyHash) == NULL) { |
1742 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_SHA1, | 1562 goto loser; |
1743 » » » » &certID->issuerKeyHash) == NULL) { | 1563 } |
1744 » goto loser; | 1564 certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; |
1745 } | 1565 certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; |
1746 certID->issuerSHA1KeyHash.data = certID->issuerKeyHash.data; | 1566 /* cache the other two hash algorithms as well */ |
1747 certID->issuerSHA1KeyHash.len = certID->issuerKeyHash.len; | 1567 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5, |
1748 /* cache the other two hash algorithms as well */ | 1568 &certID->issuerMD5KeyHash) == NULL) { |
1749 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD5, | 1569 goto loser; |
1750 » » » » &certID->issuerMD5KeyHash) == NULL) { | 1570 } |
1751 » goto loser; | 1571 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2, |
1752 } | 1572 &certID->issuerMD2KeyHash) == NULL) { |
1753 if (CERT_GetSubjectPublicKeyDigest(arena, issuerCert, SEC_OID_MD2, | 1573 goto loser; |
1754 » » » » &certID->issuerMD2KeyHash) == NULL) { | 1574 } |
1755 » goto loser; | 1575 |
1756 } | 1576 /* now we are done with issuerCert */ |
1757 | 1577 CERT_DestroyCertificate(issuerCert); |
1758 | 1578 issuerCert = NULL; |
1759 /* now we are done with issuerCert */ | 1579 |
| 1580 rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber); |
| 1581 if (rv != SECSuccess) { |
| 1582 goto loser; |
| 1583 } |
| 1584 |
| 1585 PORT_ArenaUnmark(arena, mark); |
| 1586 return certID; |
| 1587 |
| 1588 loser: |
| 1589 if (issuerCert != NULL) { |
1760 CERT_DestroyCertificate(issuerCert); | 1590 CERT_DestroyCertificate(issuerCert); |
1761 issuerCert = NULL; | 1591 } |
1762 | 1592 PORT_ArenaRelease(arena, mark); |
1763 rv = SECITEM_CopyItem(arena, &certID->serialNumber, &cert->serialNumber); | 1593 return NULL; |
1764 if (rv != SECSuccess) { | 1594 } |
1765 » goto loser;· | 1595 |
1766 } | 1596 CERTOCSPCertID *CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time) { |
1767 | 1597 PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
1768 PORT_ArenaUnmark(arena, mark); | 1598 CERTOCSPCertID *certID; |
1769 return certID; | 1599 PORT_Assert(arena != NULL); |
| 1600 if (!arena) return NULL; |
| 1601 |
| 1602 certID = ocsp_CreateCertID(arena, cert, time); |
| 1603 if (!certID) { |
| 1604 PORT_FreeArena(arena, PR_FALSE); |
| 1605 return NULL; |
| 1606 } |
| 1607 certID->poolp = arena; |
| 1608 return certID; |
| 1609 } |
| 1610 |
| 1611 static CERTOCSPCertID *cert_DupOCSPCertID(const CERTOCSPCertID *src) { |
| 1612 CERTOCSPCertID *dest; |
| 1613 PLArenaPool *arena = NULL; |
| 1614 |
| 1615 if (!src) { |
| 1616 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 1617 return NULL; |
| 1618 } |
| 1619 |
| 1620 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 1621 if (!arena) goto loser; |
| 1622 |
| 1623 dest = PORT_ArenaZNew(arena, CERTOCSPCertID); |
| 1624 if (!dest) goto loser; |
| 1625 |
| 1626 #define DUPHELP(element) \ |
| 1627 if (src->element.data && \ |
| 1628 SECITEM_CopyItem(arena, &dest->element, &src->element) != SECSuccess) { \ |
| 1629 goto loser; \ |
| 1630 } |
| 1631 |
| 1632 DUPHELP(hashAlgorithm.algorithm) |
| 1633 DUPHELP(hashAlgorithm.parameters) |
| 1634 DUPHELP(issuerNameHash) |
| 1635 DUPHELP(issuerKeyHash) |
| 1636 DUPHELP(serialNumber) |
| 1637 DUPHELP(issuerSHA1NameHash) |
| 1638 DUPHELP(issuerMD5NameHash) |
| 1639 DUPHELP(issuerMD2NameHash) |
| 1640 DUPHELP(issuerSHA1KeyHash) |
| 1641 DUPHELP(issuerMD5KeyHash) |
| 1642 DUPHELP(issuerMD2KeyHash) |
| 1643 |
| 1644 dest->poolp = arena; |
| 1645 return dest; |
1770 | 1646 |
1771 loser: | 1647 loser: |
1772 if (issuerCert != NULL) { | 1648 if (arena) PORT_FreeArena(arena, PR_FALSE); |
1773 » CERT_DestroyCertificate(issuerCert); | 1649 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); |
1774 } | 1650 return NULL; |
1775 PORT_ArenaRelease(arena, mark); | |
1776 return NULL; | |
1777 } | |
1778 | |
1779 CERTOCSPCertID* | |
1780 CERT_CreateOCSPCertID(CERTCertificate *cert, PRTime time) | |
1781 { | |
1782 PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1783 CERTOCSPCertID *certID; | |
1784 PORT_Assert(arena != NULL); | |
1785 if (!arena) | |
1786 » return NULL; | |
1787 ···· | |
1788 certID = ocsp_CreateCertID(arena, cert, time); | |
1789 if (!certID) { | |
1790 » PORT_FreeArena(arena, PR_FALSE); | |
1791 » return NULL; | |
1792 } | |
1793 certID->poolp = arena; | |
1794 return certID; | |
1795 } | |
1796 | |
1797 static CERTOCSPCertID * | |
1798 cert_DupOCSPCertID(const CERTOCSPCertID *src) | |
1799 { | |
1800 CERTOCSPCertID *dest; | |
1801 PLArenaPool *arena = NULL; | |
1802 | |
1803 if (!src) { | |
1804 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
1805 return NULL; | |
1806 } | |
1807 | |
1808 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
1809 if (!arena) | |
1810 goto loser; | |
1811 | |
1812 dest = PORT_ArenaZNew(arena, CERTOCSPCertID); | |
1813 if (!dest) | |
1814 goto loser; | |
1815 | |
1816 #define DUPHELP(element) \ | |
1817 if (src->element.data && \ | |
1818 SECITEM_CopyItem(arena, &dest->element, &src->element) \ | |
1819 != SECSuccess) { \ | |
1820 goto loser; \ | |
1821 } | |
1822 | |
1823 DUPHELP(hashAlgorithm.algorithm) | |
1824 DUPHELP(hashAlgorithm.parameters) | |
1825 DUPHELP(issuerNameHash) | |
1826 DUPHELP(issuerKeyHash) | |
1827 DUPHELP(serialNumber) | |
1828 DUPHELP(issuerSHA1NameHash) | |
1829 DUPHELP(issuerMD5NameHash) | |
1830 DUPHELP(issuerMD2NameHash) | |
1831 DUPHELP(issuerSHA1KeyHash) | |
1832 DUPHELP(issuerMD5KeyHash) | |
1833 DUPHELP(issuerMD2KeyHash) | |
1834 | |
1835 dest->poolp = arena; | |
1836 return dest; | |
1837 | |
1838 loser: | |
1839 if (arena) | |
1840 PORT_FreeArena(arena, PR_FALSE); | |
1841 PORT_SetError(PR_OUT_OF_MEMORY_ERROR); | |
1842 return NULL; | |
1843 } | 1651 } |
1844 | 1652 |
1845 /* | 1653 /* |
1846 * Callback to set Extensions in request object | 1654 * Callback to set Extensions in request object |
1847 */ | 1655 */ |
1848 void SetSingleReqExts(void *object, CERTCertExtension **exts) | 1656 void SetSingleReqExts(void *object, CERTCertExtension **exts) { |
1849 { | 1657 ocspSingleRequest *singleRequest = (ocspSingleRequest *)object; |
1850 ocspSingleRequest *singleRequest = | |
1851 (ocspSingleRequest *)object; | |
1852 | 1658 |
1853 singleRequest->singleRequestExtensions = exts; | 1659 singleRequest->singleRequestExtensions = exts; |
1854 } | 1660 } |
1855 | 1661 |
1856 /* | 1662 /* |
1857 * Add the Service Locator extension to the singleRequestExtensions | 1663 * Add the Service Locator extension to the singleRequestExtensions |
1858 * for the given singleRequest. | 1664 * for the given singleRequest. |
1859 * | 1665 * |
1860 * All errors are internal or low-level problems (e.g. no memory). | 1666 * All errors are internal or low-level problems (e.g. no memory). |
1861 */ | 1667 */ |
1862 static SECStatus | 1668 static SECStatus ocsp_AddServiceLocatorExtension( |
1863 ocsp_AddServiceLocatorExtension(ocspSingleRequest *singleRequest, | 1669 ocspSingleRequest *singleRequest, CERTCertificate *cert) { |
1864 » » » » CERTCertificate *cert) | 1670 ocspServiceLocator *serviceLocator = NULL; |
1865 { | 1671 void *extensionHandle = NULL; |
1866 ocspServiceLocator *serviceLocator = NULL; | 1672 SECStatus rv = SECFailure; |
1867 void *extensionHandle = NULL; | 1673 |
1868 SECStatus rv = SECFailure; | 1674 serviceLocator = PORT_ZNew(ocspServiceLocator); |
1869 | 1675 if (serviceLocator == NULL) goto loser; |
1870 serviceLocator = PORT_ZNew(ocspServiceLocator); | 1676 |
1871 if (serviceLocator == NULL) | 1677 /* |
1872 » goto loser; | 1678 * Normally it would be a bad idea to do a direct reference like |
1873 | 1679 * this rather than allocate and copy the name *or* at least dup |
| 1680 * a reference of the cert. But all we need is to be able to read |
| 1681 * the issuer name during the encoding we are about to do, so a |
| 1682 * copy is just a waste of time. |
| 1683 */ |
| 1684 serviceLocator->issuer = &cert->issuer; |
| 1685 |
| 1686 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, |
| 1687 &serviceLocator->locator); |
| 1688 if (rv != SECSuccess) { |
| 1689 if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) goto loser; |
| 1690 } |
| 1691 |
| 1692 /* prepare for following loser gotos */ |
| 1693 rv = SECFailure; |
| 1694 PORT_SetError(0); |
| 1695 |
| 1696 extensionHandle = cert_StartExtensions(singleRequest, singleRequest->arena, |
| 1697 SetSingleReqExts); |
| 1698 if (extensionHandle == NULL) goto loser; |
| 1699 |
| 1700 rv = CERT_EncodeAndAddExtension( |
| 1701 extensionHandle, SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, serviceLocator, |
| 1702 PR_FALSE, ocsp_ServiceLocatorTemplate); |
| 1703 |
| 1704 loser: |
| 1705 if (extensionHandle != NULL) { |
1874 /* | 1706 /* |
1875 * Normally it would be a bad idea to do a direct reference like | 1707 * Either way we have to finish out the extension context (so it gets |
1876 * this rather than allocate and copy the name *or* at least dup | 1708 * freed). But careful not to override any already-set bad status. |
1877 * a reference of the cert. But all we need is to be able to read | |
1878 * the issuer name during the encoding we are about to do, so a | |
1879 * copy is just a waste of time. | |
1880 */ | 1709 */ |
1881 serviceLocator->issuer = &cert->issuer; | 1710 SECStatus tmprv = CERT_FinishExtensions(extensionHandle); |
1882 | 1711 if (rv == SECSuccess) rv = tmprv; |
1883 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, | 1712 } |
1884 » » » » &serviceLocator->locator); | 1713 |
1885 if (rv != SECSuccess) { | 1714 /* |
1886 » if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) | 1715 * Finally, free the serviceLocator structure itself and we are done. |
1887 » goto loser; | 1716 */ |
1888 } | 1717 if (serviceLocator != NULL) { |
1889 | 1718 if (serviceLocator->locator.data != NULL) |
1890 /* prepare for following loser gotos */ | 1719 SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE); |
1891 rv = SECFailure; | 1720 PORT_Free(serviceLocator); |
1892 PORT_SetError(0); | 1721 } |
1893 | 1722 |
1894 extensionHandle = cert_StartExtensions(singleRequest, | 1723 return rv; |
1895 singleRequest->arena, SetSingleReqExts); | |
1896 if (extensionHandle == NULL) | |
1897 » goto loser; | |
1898 | |
1899 rv = CERT_EncodeAndAddExtension(extensionHandle, | |
1900 » » » » SEC_OID_PKIX_OCSP_SERVICE_LOCATOR, | |
1901 » » » » serviceLocator, PR_FALSE, | |
1902 » » » » ocsp_ServiceLocatorTemplate); | |
1903 | |
1904 loser: | |
1905 if (extensionHandle != NULL) { | |
1906 » /* | |
1907 » * Either way we have to finish out the extension context (so it gets | |
1908 » * freed). But careful not to override any already-set bad status. | |
1909 » */ | |
1910 » SECStatus tmprv = CERT_FinishExtensions(extensionHandle); | |
1911 » if (rv == SECSuccess) | |
1912 » rv = tmprv; | |
1913 } | |
1914 | |
1915 /* | |
1916 * Finally, free the serviceLocator structure itself and we are done. | |
1917 */ | |
1918 if (serviceLocator != NULL) { | |
1919 » if (serviceLocator->locator.data != NULL) | |
1920 » SECITEM_FreeItem(&serviceLocator->locator, PR_FALSE); | |
1921 » PORT_Free(serviceLocator); | |
1922 } | |
1923 | |
1924 return rv; | |
1925 } | 1724 } |
1926 | 1725 |
1927 /* | 1726 /* |
1928 * Creates an array of ocspSingleRequest based on a list of certs. | 1727 * Creates an array of ocspSingleRequest based on a list of certs. |
1929 * Note that the code which later compares the request list with the | 1728 * Note that the code which later compares the request list with the |
1930 * response expects this array to be in the exact same order as the | 1729 * response expects this array to be in the exact same order as the |
1931 * certs are found in the list. It would be harder to change that | 1730 * certs are found in the list. It would be harder to change that |
1932 * order than preserve it, but since the requirement is not obvious, | 1731 * order than preserve it, but since the requirement is not obvious, |
1933 * it deserves to be mentioned. | 1732 * it deserves to be mentioned. |
1934 * | 1733 * |
1935 * Any problem causes a null return and error set: | 1734 * Any problem causes a null return and error set: |
1936 * SEC_ERROR_UNKNOWN_ISSUER | 1735 * SEC_ERROR_UNKNOWN_ISSUER |
1937 * Other errors are low-level problems (no memory, bad database, etc.). | 1736 * Other errors are low-level problems (no memory, bad database, etc.). |
1938 */ | 1737 */ |
1939 static ocspSingleRequest ** | 1738 static ocspSingleRequest **ocsp_CreateSingleRequestList(PLArenaPool *arena, |
1940 ocsp_CreateSingleRequestList(PLArenaPool *arena, CERTCertList *certList, | 1739 CERTCertList *certList, |
1941 PRTime time, PRBool includeLocator) | 1740 PRTime time, |
1942 { | 1741 PRBool includeLocator) { |
1943 ocspSingleRequest **requestList = NULL; | 1742 ocspSingleRequest **requestList = NULL; |
1944 CERTCertListNode *node = NULL; | 1743 CERTCertListNode *node = NULL; |
1945 int i, count; | 1744 int i, count; |
1946 void *mark = PORT_ArenaMark(arena); | 1745 void *mark = PORT_ArenaMark(arena); |
1947 · | 1746 |
1948 node = CERT_LIST_HEAD(certList); | 1747 node = CERT_LIST_HEAD(certList); |
1949 for (count = 0; !CERT_LIST_END(node, certList); count++) { | 1748 for (count = 0; !CERT_LIST_END(node, certList); count++) { |
1950 node = CERT_LIST_NEXT(node); | 1749 node = CERT_LIST_NEXT(node); |
| 1750 } |
| 1751 |
| 1752 if (count == 0) goto loser; |
| 1753 |
| 1754 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1); |
| 1755 if (requestList == NULL) goto loser; |
| 1756 |
| 1757 node = CERT_LIST_HEAD(certList); |
| 1758 for (i = 0; !CERT_LIST_END(node, certList); i++) { |
| 1759 requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest); |
| 1760 if (requestList[i] == NULL) goto loser; |
| 1761 |
| 1762 OCSP_TRACE(("OCSP CERT_CreateOCSPRequest %s\n", node->cert->subjectName)); |
| 1763 requestList[i]->arena = arena; |
| 1764 requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time); |
| 1765 if (requestList[i]->reqCert == NULL) goto loser; |
| 1766 |
| 1767 if (includeLocator == PR_TRUE) { |
| 1768 SECStatus rv; |
| 1769 |
| 1770 rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert); |
| 1771 if (rv != SECSuccess) goto loser; |
1951 } | 1772 } |
1952 | 1773 |
1953 if (count == 0) | 1774 node = CERT_LIST_NEXT(node); |
1954 » goto loser; | 1775 } |
1955 | 1776 |
1956 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, count + 1); | 1777 PORT_Assert(i == count); |
1957 if (requestList == NULL) | 1778 |
1958 » goto loser; | 1779 PORT_ArenaUnmark(arena, mark); |
1959 | 1780 requestList[i] = NULL; |
1960 node = CERT_LIST_HEAD(certList); | 1781 return requestList; |
1961 for (i = 0; !CERT_LIST_END(node, certList); i++) { | |
1962 requestList[i] = PORT_ArenaZNew(arena, ocspSingleRequest); | |
1963 if (requestList[i] == NULL) | |
1964 goto loser; | |
1965 | |
1966 OCSP_TRACE(("OCSP CERT_CreateOCSPRequest %s\n", node->cert->subjectName)
); | |
1967 requestList[i]->arena = arena; | |
1968 requestList[i]->reqCert = ocsp_CreateCertID(arena, node->cert, time); | |
1969 if (requestList[i]->reqCert == NULL) | |
1970 goto loser; | |
1971 | |
1972 if (includeLocator == PR_TRUE) { | |
1973 SECStatus rv; | |
1974 | |
1975 rv = ocsp_AddServiceLocatorExtension(requestList[i], node->cert); | |
1976 if (rv != SECSuccess) | |
1977 goto loser; | |
1978 } | |
1979 | |
1980 node = CERT_LIST_NEXT(node); | |
1981 } | |
1982 | |
1983 PORT_Assert(i == count); | |
1984 | |
1985 PORT_ArenaUnmark(arena, mark); | |
1986 requestList[i] = NULL; | |
1987 return requestList; | |
1988 | 1782 |
1989 loser: | 1783 loser: |
1990 PORT_ArenaRelease(arena, mark); | 1784 PORT_ArenaRelease(arena, mark); |
| 1785 return NULL; |
| 1786 } |
| 1787 |
| 1788 static ocspSingleRequest **ocsp_CreateRequestFromCert( |
| 1789 PLArenaPool *arena, CERTOCSPCertID *certID, CERTCertificate *singleCert, |
| 1790 PRTime time, PRBool includeLocator) { |
| 1791 ocspSingleRequest **requestList = NULL; |
| 1792 void *mark = PORT_ArenaMark(arena); |
| 1793 PORT_Assert(certID != NULL && singleCert != NULL); |
| 1794 |
| 1795 /* meaning of value 2: one entry + one end marker */ |
| 1796 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, 2); |
| 1797 if (requestList == NULL) goto loser; |
| 1798 requestList[0] = PORT_ArenaZNew(arena, ocspSingleRequest); |
| 1799 if (requestList[0] == NULL) goto loser; |
| 1800 requestList[0]->arena = arena; |
| 1801 /* certID will live longer than the request */ |
| 1802 requestList[0]->reqCert = certID; |
| 1803 |
| 1804 if (includeLocator == PR_TRUE) { |
| 1805 SECStatus rv; |
| 1806 rv = ocsp_AddServiceLocatorExtension(requestList[0], singleCert); |
| 1807 if (rv != SECSuccess) goto loser; |
| 1808 } |
| 1809 |
| 1810 PORT_ArenaUnmark(arena, mark); |
| 1811 requestList[1] = NULL; |
| 1812 return requestList; |
| 1813 |
| 1814 loser: |
| 1815 PORT_ArenaRelease(arena, mark); |
| 1816 return NULL; |
| 1817 } |
| 1818 |
| 1819 static CERTOCSPRequest *ocsp_prepareEmptyOCSPRequest(void) { |
| 1820 PLArenaPool *arena = NULL; |
| 1821 CERTOCSPRequest *request = NULL; |
| 1822 ocspTBSRequest *tbsRequest = NULL; |
| 1823 |
| 1824 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 1825 if (arena == NULL) { |
| 1826 goto loser; |
| 1827 } |
| 1828 request = PORT_ArenaZNew(arena, CERTOCSPRequest); |
| 1829 if (request == NULL) { |
| 1830 goto loser; |
| 1831 } |
| 1832 request->arena = arena; |
| 1833 |
| 1834 tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest); |
| 1835 if (tbsRequest == NULL) { |
| 1836 goto loser; |
| 1837 } |
| 1838 request->tbsRequest = tbsRequest; |
| 1839 /* version 1 is the default, so we need not fill in a version number */ |
| 1840 return request; |
| 1841 |
| 1842 loser: |
| 1843 if (arena != NULL) { |
| 1844 PORT_FreeArena(arena, PR_FALSE); |
| 1845 } |
| 1846 return NULL; |
| 1847 } |
| 1848 |
| 1849 CERTOCSPRequest *cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID, |
| 1850 CERTCertificate *singleCert, |
| 1851 PRTime time, |
| 1852 PRBool addServiceLocator, |
| 1853 CERTCertificate *signerCert) { |
| 1854 CERTOCSPRequest *request; |
| 1855 OCSP_TRACE( |
| 1856 ("OCSP cert_CreateSingleCertOCSPRequest %s\n", singleCert->subjectName)); |
| 1857 |
| 1858 /* XXX Support for signerCert may be implemented later, |
| 1859 * see also the comment in CERT_CreateOCSPRequest. |
| 1860 */ |
| 1861 if (signerCert != NULL) { |
| 1862 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
1991 return NULL; | 1863 return NULL; |
1992 } | 1864 } |
1993 | 1865 |
1994 static ocspSingleRequest ** | 1866 request = ocsp_prepareEmptyOCSPRequest(); |
1995 ocsp_CreateRequestFromCert(PLArenaPool *arena, | 1867 if (!request) return NULL; |
1996 CERTOCSPCertID *certID,· | 1868 /* |
1997 CERTCertificate *singleCert, | 1869 * Version 1 is the default, so we need not fill in a version number. |
1998 PRTime time, | 1870 * Now create the list of single requests, one for each cert. |
1999 PRBool includeLocator) | 1871 */ |
2000 { | 1872 request->tbsRequest->requestList = ocsp_CreateRequestFromCert( |
2001 ocspSingleRequest **requestList = NULL; | 1873 request->arena, certID, singleCert, time, addServiceLocator); |
2002 void *mark = PORT_ArenaMark(arena); | 1874 if (request->tbsRequest->requestList == NULL) { |
2003 PORT_Assert(certID != NULL && singleCert != NULL); | 1875 PORT_FreeArena(request->arena, PR_FALSE); |
2004 | |
2005 /* meaning of value 2: one entry + one end marker */ | |
2006 requestList = PORT_ArenaNewArray(arena, ocspSingleRequest *, 2); | |
2007 if (requestList == NULL) | |
2008 goto loser; | |
2009 requestList[0] = PORT_ArenaZNew(arena, ocspSingleRequest); | |
2010 if (requestList[0] == NULL) | |
2011 goto loser; | |
2012 requestList[0]->arena = arena; | |
2013 /* certID will live longer than the request */ | |
2014 requestList[0]->reqCert = certID;· | |
2015 | |
2016 if (includeLocator == PR_TRUE) { | |
2017 SECStatus rv; | |
2018 rv = ocsp_AddServiceLocatorExtension(requestList[0], singleCert); | |
2019 if (rv != SECSuccess) | |
2020 goto loser; | |
2021 } | |
2022 | |
2023 PORT_ArenaUnmark(arena, mark); | |
2024 requestList[1] = NULL; | |
2025 return requestList; | |
2026 | |
2027 loser: | |
2028 PORT_ArenaRelease(arena, mark); | |
2029 return NULL; | 1876 return NULL; |
2030 } | 1877 } |
2031 | 1878 return request; |
2032 static CERTOCSPRequest * | |
2033 ocsp_prepareEmptyOCSPRequest(void) | |
2034 { | |
2035 PLArenaPool *arena = NULL; | |
2036 CERTOCSPRequest *request = NULL; | |
2037 ocspTBSRequest *tbsRequest = NULL; | |
2038 | |
2039 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
2040 if (arena == NULL) { | |
2041 goto loser; | |
2042 } | |
2043 request = PORT_ArenaZNew(arena, CERTOCSPRequest); | |
2044 if (request == NULL) { | |
2045 goto loser; | |
2046 } | |
2047 request->arena = arena; | |
2048 | |
2049 tbsRequest = PORT_ArenaZNew(arena, ocspTBSRequest); | |
2050 if (tbsRequest == NULL) { | |
2051 goto loser; | |
2052 } | |
2053 request->tbsRequest = tbsRequest; | |
2054 /* version 1 is the default, so we need not fill in a version number */ | |
2055 return request; | |
2056 | |
2057 loser: | |
2058 if (arena != NULL) { | |
2059 PORT_FreeArena(arena, PR_FALSE); | |
2060 } | |
2061 return NULL; | |
2062 } | |
2063 | |
2064 CERTOCSPRequest * | |
2065 cert_CreateSingleCertOCSPRequest(CERTOCSPCertID *certID,· | |
2066 CERTCertificate *singleCert,· | |
2067 PRTime time, | |
2068 PRBool addServiceLocator, | |
2069 CERTCertificate *signerCert) | |
2070 { | |
2071 CERTOCSPRequest *request; | |
2072 OCSP_TRACE(("OCSP cert_CreateSingleCertOCSPRequest %s\n", singleCert->subjec
tName)); | |
2073 | |
2074 /* XXX Support for signerCert may be implemented later, | |
2075 * see also the comment in CERT_CreateOCSPRequest. | |
2076 */ | |
2077 if (signerCert != NULL) { | |
2078 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
2079 return NULL; | |
2080 } | |
2081 | |
2082 request = ocsp_prepareEmptyOCSPRequest(); | |
2083 if (!request) | |
2084 return NULL; | |
2085 /* | |
2086 * Version 1 is the default, so we need not fill in a version number. | |
2087 * Now create the list of single requests, one for each cert. | |
2088 */ | |
2089 request->tbsRequest->requestList =· | |
2090 ocsp_CreateRequestFromCert(request->arena,· | |
2091 certID, | |
2092 singleCert, | |
2093 time, | |
2094 addServiceLocator); | |
2095 if (request->tbsRequest->requestList == NULL) { | |
2096 PORT_FreeArena(request->arena, PR_FALSE); | |
2097 return NULL; | |
2098 } | |
2099 return request; | |
2100 } | 1879 } |
2101 | 1880 |
2102 /* | 1881 /* |
2103 * FUNCTION: CERT_CreateOCSPRequest | 1882 * FUNCTION: CERT_CreateOCSPRequest |
2104 * Creates a CERTOCSPRequest, requesting the status of the certs in | 1883 * Creates a CERTOCSPRequest, requesting the status of the certs in |
2105 * the given list. | 1884 * the given list. |
2106 * INPUTS: | 1885 * INPUTS: |
2107 * CERTCertList *certList | 1886 * CERTCertList *certList |
2108 * A list of certs for which status will be requested. | 1887 * A list of certs for which status will be requested. |
2109 * Note that all of these certificates should have the same issuer, | 1888 * Note that all of these certificates should have the same issuer, |
2110 * or it's expected the response will be signed by a trusted responder. | 1889 * or it's expected the response will be signed by a trusted responder. |
2111 * If the certs need to be broken up into multiple requests, that | 1890 * If the certs need to be broken up into multiple requests, that |
2112 * must be handled by the caller (and thus by having multiple calls | 1891 * must be handled by the caller (and thus by having multiple calls |
2113 * to this routine), who knows about where the request(s) are being | 1892 * to this routine), who knows about where the request(s) are being |
2114 * sent and whether there are any trusted responders in place. | 1893 * sent and whether there are any trusted responders in place. |
2115 * PRTime time | 1894 * PRTime time |
2116 * Indicates the time for which the certificate status is to be | 1895 * Indicates the time for which the certificate status is to be |
2117 * determined -- this may be used in the search for the cert's issuer | 1896 * determined -- this may be used in the search for the cert's issuer |
2118 * but has no effect on the request itself. | 1897 * but has no effect on the request itself. |
2119 * PRBool addServiceLocator | 1898 * PRBool addServiceLocator |
2120 * If true, the Service Locator extension should be added to the | 1899 * If true, the Service Locator extension should be added to the |
2121 * single request(s) for each cert. | 1900 * single request(s) for each cert. |
2122 * CERTCertificate *signerCert | 1901 * CERTCertificate *signerCert |
2123 * If non-NULL, means sign the request using this cert. Otherwise, | 1902 * If non-NULL, means sign the request using this cert. Otherwise, |
2124 * do not sign. | 1903 * do not sign. |
2125 * XXX note that request signing is not yet supported; see comment in code | 1904 * XXX note that request signing is not yet supported; see comment in code |
2126 * RETURN: | 1905 * RETURN: |
2127 * A pointer to a CERTOCSPRequest structure containing an OCSP request | 1906 * A pointer to a CERTOCSPRequest structure containing an OCSP request |
2128 * for the cert list. On error, null is returned, with an error set | 1907 * for the cert list. On error, null is returned, with an error set |
2129 * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. | 1908 * indicating the reason. This is likely SEC_ERROR_UNKNOWN_ISSUER. |
2130 * (The issuer is needed to create a request for the certificate.) | 1909 * (The issuer is needed to create a request for the certificate.) |
2131 * Other errors are low-level problems (no memory, bad database, etc.). | 1910 * Other errors are low-level problems (no memory, bad database, etc.). |
2132 */ | 1911 */ |
2133 CERTOCSPRequest * | 1912 CERTOCSPRequest *CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, |
2134 CERT_CreateOCSPRequest(CERTCertList *certList, PRTime time, | 1913 PRBool addServiceLocator, |
2135 » » PRBool addServiceLocator, | 1914 CERTCertificate *signerCert) { |
2136 » » CERTCertificate *signerCert) | 1915 CERTOCSPRequest *request = NULL; |
2137 { | 1916 |
2138 CERTOCSPRequest *request = NULL; | 1917 if (!certList) { |
2139 | 1918 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2140 if (!certList) { | 1919 return NULL; |
2141 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1920 } |
2142 return NULL; | 1921 /* |
2143 } | 1922 * XXX When we are prepared to put signing of requests back in, |
2144 /* | 1923 * we will need to allocate a signature |
2145 * XXX When we are prepared to put signing of requests back in,· | 1924 * structure for the request, fill in the "derCerts" field in it, |
2146 * we will need to allocate a signature | 1925 * save the signerCert there, as well as fill in the "requestorName" |
2147 * structure for the request, fill in the "derCerts" field in it, | 1926 * field of the tbsRequest. |
2148 * save the signerCert there, as well as fill in the "requestorName" | 1927 */ |
2149 * field of the tbsRequest. | 1928 if (signerCert != NULL) { |
2150 */ | 1929 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
2151 if (signerCert != NULL) { | 1930 return NULL; |
2152 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 1931 } |
2153 return NULL; | 1932 request = ocsp_prepareEmptyOCSPRequest(); |
2154 } | 1933 if (!request) return NULL; |
2155 request = ocsp_prepareEmptyOCSPRequest(); | 1934 /* |
2156 if (!request) | 1935 * Now create the list of single requests, one for each cert. |
2157 return NULL; | 1936 */ |
2158 /* | 1937 request->tbsRequest->requestList = ocsp_CreateSingleRequestList( |
2159 * Now create the list of single requests, one for each cert. | 1938 request->arena, certList, time, addServiceLocator); |
2160 */ | 1939 if (request->tbsRequest->requestList == NULL) { |
2161 request->tbsRequest->requestList = | 1940 PORT_FreeArena(request->arena, PR_FALSE); |
2162 ocsp_CreateSingleRequestList(request->arena, | 1941 return NULL; |
2163 certList, | 1942 } |
2164 time, | 1943 return request; |
2165 addServiceLocator); | |
2166 if (request->tbsRequest->requestList == NULL) { | |
2167 PORT_FreeArena(request->arena, PR_FALSE); | |
2168 return NULL; | |
2169 } | |
2170 return request; | |
2171 } | 1944 } |
2172 | 1945 |
2173 /* | 1946 /* |
2174 * FUNCTION: CERT_AddOCSPAcceptableResponses | 1947 * FUNCTION: CERT_AddOCSPAcceptableResponses |
2175 * Add the AcceptableResponses extension to an OCSP Request. | 1948 * Add the AcceptableResponses extension to an OCSP Request. |
2176 * INPUTS: | 1949 * INPUTS: |
2177 * CERTOCSPRequest *request | 1950 * CERTOCSPRequest *request |
2178 * The request to which the extension should be added. | 1951 * The request to which the extension should be added. |
2179 * ... | 1952 * ... |
2180 * A list (of one or more) of SECOidTag -- each of the response types | 1953 * A list (of one or more) of SECOidTag -- each of the response types |
2181 * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. | 1954 * to be added. The last OID *must* be SEC_OID_PKIX_OCSP_BASIC_RESPONSE. |
2182 * (This marks the end of the list, and it must be specified because a | 1955 * (This marks the end of the list, and it must be specified because a |
2183 * client conforming to the OCSP standard is required to handle the basic | 1956 * client conforming to the OCSP standard is required to handle the basic |
2184 * response type.) The OIDs are not checked in any way. | 1957 * response type.) The OIDs are not checked in any way. |
2185 * RETURN: | 1958 * RETURN: |
2186 * SECSuccess if the extension is added; SECFailure if anything goes wrong. | 1959 * SECSuccess if the extension is added; SECFailure if anything goes wrong. |
2187 * All errors are internal or low-level problems (e.g. no memory). | 1960 * All errors are internal or low-level problems (e.g. no memory). |
2188 */ | 1961 */ |
2189 | 1962 |
2190 void SetRequestExts(void *object, CERTCertExtension **exts) | 1963 void SetRequestExts(void *object, CERTCertExtension **exts) { |
2191 { | |
2192 CERTOCSPRequest *request = (CERTOCSPRequest *)object; | 1964 CERTOCSPRequest *request = (CERTOCSPRequest *)object; |
2193 | 1965 |
2194 request->tbsRequest->requestExtensions = exts; | 1966 request->tbsRequest->requestExtensions = exts; |
2195 } | 1967 } |
2196 | 1968 |
2197 SECStatus | 1969 SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, |
2198 CERT_AddOCSPAcceptableResponses(CERTOCSPRequest *request, | 1970 SECOidTag responseType0, ...) { |
2199 » » » » SECOidTag responseType0, ...) | 1971 void *extHandle; |
2200 { | 1972 va_list ap; |
2201 void *extHandle; | 1973 int i, count; |
2202 va_list ap; | 1974 SECOidTag responseType; |
2203 int i, count; | 1975 SECOidData *responseOid; |
2204 SECOidTag responseType; | 1976 SECItem **acceptableResponses = NULL; |
2205 SECOidData *responseOid; | 1977 SECStatus rv = SECFailure; |
2206 SECItem **acceptableResponses = NULL; | 1978 |
2207 SECStatus rv = SECFailure; | 1979 extHandle = request->tbsRequest->extensionHandle; |
2208 | 1980 if (extHandle == NULL) { |
2209 extHandle = request->tbsRequest->extensionHandle; | 1981 extHandle = cert_StartExtensions(request, request->arena, SetRequestExts); |
2210 if (extHandle == NULL) { | 1982 if (extHandle == NULL) goto loser; |
2211 » extHandle = cert_StartExtensions(request, request->arena, SetRequestExts
); | 1983 } |
2212 » if (extHandle == NULL) | 1984 |
2213 » goto loser; | 1985 /* Count number of OIDS going into the extension value. */ |
| 1986 count = 1; |
| 1987 if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { |
| 1988 va_start(ap, responseType0); |
| 1989 do { |
| 1990 count++; |
| 1991 responseType = va_arg(ap, SECOidTag); |
| 1992 } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE); |
| 1993 va_end(ap); |
| 1994 } |
| 1995 |
| 1996 acceptableResponses = PORT_NewArray(SECItem *, count + 1); |
| 1997 if (acceptableResponses == NULL) goto loser; |
| 1998 |
| 1999 i = 0; |
| 2000 responseOid = SECOID_FindOIDByTag(responseType0); |
| 2001 acceptableResponses[i++] = &(responseOid->oid); |
| 2002 if (count > 1) { |
| 2003 va_start(ap, responseType0); |
| 2004 for (; i < count; i++) { |
| 2005 responseType = va_arg(ap, SECOidTag); |
| 2006 responseOid = SECOID_FindOIDByTag(responseType); |
| 2007 acceptableResponses[i] = &(responseOid->oid); |
2214 } | 2008 } |
2215 | 2009 va_end(ap); |
2216 /* Count number of OIDS going into the extension value. */ | 2010 } |
2217 count = 1; | 2011 acceptableResponses[i] = NULL; |
2218 if (responseType0 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { | 2012 |
2219 » va_start(ap, responseType0); | 2013 rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE, |
2220 » do { | 2014 &acceptableResponses, PR_FALSE, |
2221 » count++; | 2015 SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate)); |
2222 » responseType = va_arg(ap, SECOidTag); | 2016 if (rv != SECSuccess) goto loser; |
2223 » } while (responseType != SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | 2017 |
2224 » va_end(ap); | 2018 PORT_Free(acceptableResponses); |
2225 } | 2019 if (request->tbsRequest->extensionHandle == NULL) |
2226 | 2020 request->tbsRequest->extensionHandle = extHandle; |
2227 acceptableResponses = PORT_NewArray(SECItem *, count + 1); | 2021 return SECSuccess; |
2228 if (acceptableResponses == NULL) | |
2229 » goto loser; | |
2230 | |
2231 i = 0; | |
2232 responseOid = SECOID_FindOIDByTag(responseType0); | |
2233 acceptableResponses[i++] = &(responseOid->oid); | |
2234 if (count > 1) { | |
2235 » va_start(ap, responseType0); | |
2236 » for ( ; i < count; i++) { | |
2237 » responseType = va_arg(ap, SECOidTag); | |
2238 » responseOid = SECOID_FindOIDByTag(responseType); | |
2239 » acceptableResponses[i] = &(responseOid->oid); | |
2240 » } | |
2241 » va_end(ap); | |
2242 } | |
2243 acceptableResponses[i] = NULL; | |
2244 | |
2245 rv = CERT_EncodeAndAddExtension(extHandle, SEC_OID_PKIX_OCSP_RESPONSE, | |
2246 &acceptableResponses, PR_FALSE, | |
2247 SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate)); | |
2248 if (rv != SECSuccess) | |
2249 » goto loser; | |
2250 | |
2251 PORT_Free(acceptableResponses); | |
2252 if (request->tbsRequest->extensionHandle == NULL) | |
2253 » request->tbsRequest->extensionHandle = extHandle; | |
2254 return SECSuccess; | |
2255 | 2022 |
2256 loser: | 2023 loser: |
2257 if (acceptableResponses != NULL) | 2024 if (acceptableResponses != NULL) PORT_Free(acceptableResponses); |
2258 » PORT_Free(acceptableResponses); | 2025 if (extHandle != NULL) (void)CERT_FinishExtensions(extHandle); |
2259 if (extHandle != NULL) | 2026 return rv; |
2260 » (void) CERT_FinishExtensions(extHandle); | 2027 } |
2261 return rv; | |
2262 } | |
2263 | |
2264 | 2028 |
2265 /* | 2029 /* |
2266 * FUNCTION: CERT_DestroyOCSPRequest | 2030 * FUNCTION: CERT_DestroyOCSPRequest |
2267 * Frees an OCSP Request structure. | 2031 * Frees an OCSP Request structure. |
2268 * INPUTS: | 2032 * INPUTS: |
2269 * CERTOCSPRequest *request | 2033 * CERTOCSPRequest *request |
2270 * Pointer to CERTOCSPRequest to be freed. | 2034 * Pointer to CERTOCSPRequest to be freed. |
2271 * RETURN: | 2035 * RETURN: |
2272 * No return value; no errors. | 2036 * No return value; no errors. |
2273 */ | 2037 */ |
2274 void | 2038 void CERT_DestroyOCSPRequest(CERTOCSPRequest *request) { |
2275 CERT_DestroyOCSPRequest(CERTOCSPRequest *request) | 2039 if (request == NULL) return; |
2276 { | 2040 |
2277 if (request == NULL) | 2041 if (request->tbsRequest != NULL) { |
2278 » return; | 2042 if (request->tbsRequest->requestorName != NULL) |
2279 | 2043 CERT_DestroyGeneralNameList(request->tbsRequest->requestorName); |
2280 if (request->tbsRequest != NULL) { | 2044 if (request->tbsRequest->extensionHandle != NULL) |
2281 » if (request->tbsRequest->requestorName != NULL) | 2045 (void)CERT_FinishExtensions(request->tbsRequest->extensionHandle); |
2282 » CERT_DestroyGeneralNameList(request->tbsRequest->requestorName); | 2046 } |
2283 » if (request->tbsRequest->extensionHandle != NULL) | 2047 |
2284 » (void) CERT_FinishExtensions(request->tbsRequest->extensionHandle); | 2048 if (request->optionalSignature != NULL) { |
2285 } | 2049 if (request->optionalSignature->cert != NULL) |
2286 | 2050 CERT_DestroyCertificate(request->optionalSignature->cert); |
2287 if (request->optionalSignature != NULL) { | |
2288 » if (request->optionalSignature->cert != NULL) | |
2289 » CERT_DestroyCertificate(request->optionalSignature->cert); | |
2290 | |
2291 » /* | |
2292 » * XXX Need to free derCerts? Or do they come out of arena? | |
2293 » * (Currently we never fill in derCerts, which is why the | |
2294 » * answer is not obvious. Once we do, add any necessary code | |
2295 » * here and remove this comment.) | |
2296 » */ | |
2297 } | |
2298 | 2051 |
2299 /* | 2052 /* |
2300 * We should actually never have a request without an arena, | 2053 * XXX Need to free derCerts? Or do they come out of arena? |
2301 * but check just in case. (If there isn't one, there is not | 2054 * (Currently we never fill in derCerts, which is why the |
2302 * much we can do about it...) | 2055 * answer is not obvious. Once we do, add any necessary code |
| 2056 * here and remove this comment.) |
2303 */ | 2057 */ |
2304 PORT_Assert(request->arena != NULL); | 2058 } |
2305 if (request->arena != NULL) | 2059 |
2306 » PORT_FreeArena(request->arena, PR_FALSE); | 2060 /* |
2307 } | 2061 * We should actually never have a request without an arena, |
2308 | 2062 * but check just in case. (If there isn't one, there is not |
| 2063 * much we can do about it...) |
| 2064 */ |
| 2065 PORT_Assert(request->arena != NULL); |
| 2066 if (request->arena != NULL) PORT_FreeArena(request->arena, PR_FALSE); |
| 2067 } |
2309 | 2068 |
2310 /* | 2069 /* |
2311 * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy): | 2070 * RESPONSE SUPPORT FUNCTIONS (encode/create/decode/destroy): |
2312 */ | 2071 */ |
2313 | 2072 |
2314 /* | 2073 /* |
2315 * Helper function for encoding or decoding a ResponderID -- based on the | 2074 * Helper function for encoding or decoding a ResponderID -- based on the |
2316 * given type, return the associated template for that choice. | 2075 * given type, return the associated template for that choice. |
2317 */ | 2076 */ |
2318 static const SEC_ASN1Template * | 2077 static const SEC_ASN1Template *ocsp_ResponderIDTemplateByType( |
2319 ocsp_ResponderIDTemplateByType(CERTOCSPResponderIDType responderIDType) | 2078 CERTOCSPResponderIDType responderIDType) { |
2320 { | 2079 const SEC_ASN1Template *responderIDTemplate; |
2321 const SEC_ASN1Template *responderIDTemplate; | 2080 |
2322 | 2081 switch (responderIDType) { |
2323 switch (responderIDType) { | 2082 case ocspResponderID_byName: |
2324 » case ocspResponderID_byName: | 2083 responderIDTemplate = ocsp_ResponderIDByNameTemplate; |
2325 » responderIDTemplate = ocsp_ResponderIDByNameTemplate; | 2084 break; |
2326 » break; | 2085 case ocspResponderID_byKey: |
2327 » case ocspResponderID_byKey: | 2086 responderIDTemplate = ocsp_ResponderIDByKeyTemplate; |
2328 » responderIDTemplate = ocsp_ResponderIDByKeyTemplate; | 2087 break; |
2329 » break; | 2088 case ocspResponderID_other: |
2330 » case ocspResponderID_other: | 2089 default: |
2331 » default: | 2090 PORT_Assert(responderIDType == ocspResponderID_other); |
2332 » PORT_Assert(responderIDType == ocspResponderID_other); | 2091 responderIDTemplate = ocsp_ResponderIDOtherTemplate; |
2333 » responderIDTemplate = ocsp_ResponderIDOtherTemplate; | 2092 break; |
2334 » break; | 2093 } |
2335 } | 2094 |
2336 | 2095 return responderIDTemplate; |
2337 return responderIDTemplate; | |
2338 } | 2096 } |
2339 | 2097 |
2340 /* | 2098 /* |
2341 * Helper function for encoding or decoding a CertStatus -- based on the | 2099 * Helper function for encoding or decoding a CertStatus -- based on the |
2342 * given type, return the associated template for that choice. | 2100 * given type, return the associated template for that choice. |
2343 */ | 2101 */ |
2344 static const SEC_ASN1Template * | 2102 static const SEC_ASN1Template *ocsp_CertStatusTemplateByType( |
2345 ocsp_CertStatusTemplateByType(ocspCertStatusType certStatusType) | 2103 ocspCertStatusType certStatusType) { |
2346 { | 2104 const SEC_ASN1Template *certStatusTemplate; |
2347 const SEC_ASN1Template *certStatusTemplate; | 2105 |
2348 | 2106 switch (certStatusType) { |
2349 switch (certStatusType) { | 2107 case ocspCertStatus_good: |
2350 » case ocspCertStatus_good: | 2108 certStatusTemplate = ocsp_CertStatusGoodTemplate; |
2351 » certStatusTemplate = ocsp_CertStatusGoodTemplate; | 2109 break; |
2352 » break; | 2110 case ocspCertStatus_revoked: |
2353 » case ocspCertStatus_revoked: | 2111 certStatusTemplate = ocsp_CertStatusRevokedTemplate; |
2354 » certStatusTemplate = ocsp_CertStatusRevokedTemplate; | 2112 break; |
2355 » break; | 2113 case ocspCertStatus_unknown: |
2356 » case ocspCertStatus_unknown: | 2114 certStatusTemplate = ocsp_CertStatusUnknownTemplate; |
2357 » certStatusTemplate = ocsp_CertStatusUnknownTemplate; | 2115 break; |
2358 » break; | 2116 case ocspCertStatus_other: |
2359 » case ocspCertStatus_other: | 2117 default: |
2360 » default: | 2118 PORT_Assert(certStatusType == ocspCertStatus_other); |
2361 » PORT_Assert(certStatusType == ocspCertStatus_other); | 2119 certStatusTemplate = ocsp_CertStatusOtherTemplate; |
2362 » certStatusTemplate = ocsp_CertStatusOtherTemplate; | 2120 break; |
2363 » break; | 2121 } |
2364 } | 2122 |
2365 | 2123 return certStatusTemplate; |
2366 return certStatusTemplate; | |
2367 } | 2124 } |
2368 | 2125 |
2369 /* | 2126 /* |
2370 * Helper function for decoding a certStatus -- turn the actual DER tag | 2127 * Helper function for decoding a certStatus -- turn the actual DER tag |
2371 * into our local translation. | 2128 * into our local translation. |
2372 */ | 2129 */ |
2373 static ocspCertStatusType | 2130 static ocspCertStatusType ocsp_CertStatusTypeByTag(int derTag) { |
2374 ocsp_CertStatusTypeByTag(int derTag) | 2131 ocspCertStatusType certStatusType; |
2375 { | 2132 |
2376 ocspCertStatusType certStatusType; | 2133 switch (derTag) { |
2377 | 2134 case 0: |
2378 switch (derTag) { | 2135 certStatusType = ocspCertStatus_good; |
2379 » case 0: | 2136 break; |
2380 » certStatusType = ocspCertStatus_good; | 2137 case 1: |
2381 » break; | 2138 certStatusType = ocspCertStatus_revoked; |
2382 » case 1: | 2139 break; |
2383 » certStatusType = ocspCertStatus_revoked; | 2140 case 2: |
2384 » break; | 2141 certStatusType = ocspCertStatus_unknown; |
2385 » case 2: | 2142 break; |
2386 » certStatusType = ocspCertStatus_unknown; | 2143 default: |
2387 » break; | 2144 certStatusType = ocspCertStatus_other; |
2388 » default: | 2145 break; |
2389 » certStatusType = ocspCertStatus_other; | 2146 } |
2390 » break; | 2147 |
2391 } | 2148 return certStatusType; |
2392 | |
2393 return certStatusType; | |
2394 } | 2149 } |
2395 | 2150 |
2396 /* | 2151 /* |
2397 * Helper function for decoding SingleResponses -- they each contain | 2152 * Helper function for decoding SingleResponses -- they each contain |
2398 * a status which is encoded as CHOICE, which needs to be decoded "by hand". | 2153 * a status which is encoded as CHOICE, which needs to be decoded "by hand". |
2399 * | 2154 * |
2400 * Note -- on error, this routine does not release the memory it may | 2155 * Note -- on error, this routine does not release the memory it may |
2401 * have allocated; it expects its caller to do that. | 2156 * have allocated; it expects its caller to do that. |
2402 */ | 2157 */ |
2403 static SECStatus | 2158 static SECStatus ocsp_FinishDecodingSingleResponses( |
2404 ocsp_FinishDecodingSingleResponses(PLArenaPool *reqArena, | 2159 PLArenaPool *reqArena, CERTOCSPSingleResponse **responses) { |
2405 » » » » CERTOCSPSingleResponse **responses) | 2160 ocspCertStatus *certStatus; |
2406 { | 2161 ocspCertStatusType certStatusType; |
2407 ocspCertStatus *certStatus; | 2162 const SEC_ASN1Template *certStatusTemplate; |
2408 ocspCertStatusType certStatusType; | 2163 int derTag; |
2409 const SEC_ASN1Template *certStatusTemplate; | 2164 int i; |
2410 int derTag; | 2165 SECStatus rv = SECFailure; |
2411 int i; | 2166 |
2412 SECStatus rv = SECFailure; | 2167 if (!reqArena) { |
2413 | 2168 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
2414 if (!reqArena) { | 2169 return SECFailure; |
2415 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 2170 } |
2416 return SECFailure; | 2171 |
| 2172 if (responses == NULL) /* nothing to do */ |
| 2173 return SECSuccess; |
| 2174 |
| 2175 for (i = 0; responses[i] != NULL; i++) { |
| 2176 SECItem *newStatus; |
| 2177 /* |
| 2178 * The following assert points out internal errors (problems in |
| 2179 * the template definitions or in the ASN.1 decoder itself, etc.). |
| 2180 */ |
| 2181 PORT_Assert(responses[i]->derCertStatus.data != NULL); |
| 2182 |
| 2183 derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK; |
| 2184 certStatusType = ocsp_CertStatusTypeByTag(derTag); |
| 2185 certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType); |
| 2186 |
| 2187 certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus)); |
| 2188 if (certStatus == NULL) { |
| 2189 goto loser; |
2417 } | 2190 } |
2418 | 2191 newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus); |
2419 if (responses == NULL)» » » /* nothing to do */ | 2192 if (!newStatus) { |
2420 » return SECSuccess; | 2193 goto loser; |
2421 | |
2422 for (i = 0; responses[i] != NULL; i++) { | |
2423 SECItem* newStatus; | |
2424 » /* | |
2425 » * The following assert points out internal errors (problems in | |
2426 » * the template definitions or in the ASN.1 decoder itself, etc.). | |
2427 » */ | |
2428 » PORT_Assert(responses[i]->derCertStatus.data != NULL); | |
2429 | |
2430 » derTag = responses[i]->derCertStatus.data[0] & SEC_ASN1_TAGNUM_MASK; | |
2431 » certStatusType = ocsp_CertStatusTypeByTag(derTag); | |
2432 » certStatusTemplate = ocsp_CertStatusTemplateByType(certStatusType); | |
2433 | |
2434 » certStatus = PORT_ArenaZAlloc(reqArena, sizeof(ocspCertStatus)); | |
2435 » if (certStatus == NULL) { | |
2436 » goto loser; | |
2437 » } | |
2438 newStatus = SECITEM_ArenaDupItem(reqArena, &responses[i]->derCertStatus)
; | |
2439 if (!newStatus) { | |
2440 goto loser; | |
2441 } | |
2442 » rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate, | |
2443 » » » » newStatus); | |
2444 » if (rv != SECSuccess) { | |
2445 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
2446 » » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
2447 » goto loser; | |
2448 » } | |
2449 | |
2450 » certStatus->certStatusType = certStatusType; | |
2451 » responses[i]->certStatus = certStatus; | |
2452 } | 2194 } |
2453 | 2195 rv = SEC_QuickDERDecodeItem(reqArena, certStatus, certStatusTemplate, |
2454 return SECSuccess; | 2196 newStatus); |
| 2197 if (rv != SECSuccess) { |
| 2198 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
| 2199 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
| 2200 goto loser; |
| 2201 } |
| 2202 |
| 2203 certStatus->certStatusType = certStatusType; |
| 2204 responses[i]->certStatus = certStatus; |
| 2205 } |
| 2206 |
| 2207 return SECSuccess; |
2455 | 2208 |
2456 loser: | 2209 loser: |
2457 return rv; | 2210 return rv; |
2458 } | 2211 } |
2459 | 2212 |
2460 /* | 2213 /* |
2461 * Helper function for decoding a responderID -- turn the actual DER tag | 2214 * Helper function for decoding a responderID -- turn the actual DER tag |
2462 * into our local translation. | 2215 * into our local translation. |
2463 */ | 2216 */ |
2464 static CERTOCSPResponderIDType | 2217 static CERTOCSPResponderIDType ocsp_ResponderIDTypeByTag(int derTag) { |
2465 ocsp_ResponderIDTypeByTag(int derTag) | 2218 CERTOCSPResponderIDType responderIDType; |
2466 { | 2219 |
2467 CERTOCSPResponderIDType responderIDType; | 2220 switch (derTag) { |
2468 | 2221 case 1: |
2469 switch (derTag) { | 2222 responderIDType = ocspResponderID_byName; |
2470 » case 1: | 2223 break; |
2471 » responderIDType = ocspResponderID_byName; | 2224 case 2: |
2472 » break; | 2225 responderIDType = ocspResponderID_byKey; |
2473 » case 2: | 2226 break; |
2474 » responderIDType = ocspResponderID_byKey; | 2227 default: |
2475 » break; | 2228 responderIDType = ocspResponderID_other; |
2476 » default: | 2229 break; |
2477 » responderIDType = ocspResponderID_other; | 2230 } |
2478 » break; | 2231 |
2479 } | 2232 return responderIDType; |
2480 | |
2481 return responderIDType; | |
2482 } | 2233 } |
2483 | 2234 |
2484 /* | 2235 /* |
2485 * Decode "src" as a BasicOCSPResponse, returning the result. | 2236 * Decode "src" as a BasicOCSPResponse, returning the result. |
2486 */ | 2237 */ |
2487 static ocspBasicOCSPResponse * | 2238 static ocspBasicOCSPResponse *ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, |
2488 ocsp_DecodeBasicOCSPResponse(PLArenaPool *arena, SECItem *src) | 2239 SECItem *src) { |
2489 { | 2240 void *mark; |
2490 void *mark; | 2241 ocspBasicOCSPResponse *basicResponse; |
2491 ocspBasicOCSPResponse *basicResponse; | 2242 ocspResponseData *responseData; |
2492 ocspResponseData *responseData; | 2243 ocspResponderID *responderID; |
2493 ocspResponderID *responderID; | 2244 CERTOCSPResponderIDType responderIDType; |
2494 CERTOCSPResponderIDType responderIDType; | 2245 const SEC_ASN1Template *responderIDTemplate; |
2495 const SEC_ASN1Template *responderIDTemplate; | 2246 int derTag; |
2496 int derTag; | 2247 SECStatus rv; |
2497 SECStatus rv; | 2248 SECItem newsrc; |
2498 SECItem newsrc; | 2249 |
2499 | 2250 mark = PORT_ArenaMark(arena); |
2500 mark = PORT_ArenaMark(arena); | 2251 |
2501 | 2252 basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse)); |
2502 basicResponse = PORT_ArenaZAlloc(arena, sizeof(ocspBasicOCSPResponse)); | 2253 if (basicResponse == NULL) { |
2503 if (basicResponse == NULL) { | 2254 goto loser; |
2504 » goto loser; | 2255 } |
2505 } | 2256 |
2506 | 2257 /* copy the DER into the arena, since Quick DER returns data that points |
2507 /* copy the DER into the arena, since Quick DER returns data that points | 2258 into the DER input, which may get freed by the caller */ |
2508 into the DER input, which may get freed by the caller */ | 2259 rv = SECITEM_CopyItem(arena, &newsrc, src); |
2509 rv = SECITEM_CopyItem(arena, &newsrc, src); | 2260 if (rv != SECSuccess) { |
2510 if ( rv != SECSuccess ) { | 2261 goto loser; |
2511 » goto loser; | 2262 } |
2512 } | 2263 |
2513 | 2264 rv = SEC_QuickDERDecodeItem(arena, basicResponse, |
2514 rv = SEC_QuickDERDecodeItem(arena, basicResponse, | 2265 ocsp_BasicOCSPResponseTemplate, &newsrc); |
2515 » » » ocsp_BasicOCSPResponseTemplate, &newsrc); | 2266 if (rv != SECSuccess) { |
2516 if (rv != SECSuccess) { | 2267 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
2517 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | 2268 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
2518 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | 2269 goto loser; |
2519 » goto loser; | 2270 } |
2520 } | 2271 |
2521 | 2272 responseData = basicResponse->tbsResponseData; |
2522 responseData = basicResponse->tbsResponseData; | 2273 |
2523 | 2274 /* |
2524 /* | 2275 * The following asserts point out internal errors (problems in |
2525 * The following asserts point out internal errors (problems in | 2276 * the template definitions or in the ASN.1 decoder itself, etc.). |
2526 * the template definitions or in the ASN.1 decoder itself, etc.). | 2277 */ |
2527 */ | 2278 PORT_Assert(responseData != NULL); |
2528 PORT_Assert(responseData != NULL); | 2279 PORT_Assert(responseData->derResponderID.data != NULL); |
2529 PORT_Assert(responseData->derResponderID.data != NULL); | 2280 |
2530 | 2281 /* |
2531 /* | 2282 * XXX Because responderID is a CHOICE, which is not currently handled |
2532 * XXX Because responderID is a CHOICE, which is not currently handled | 2283 * by our ASN.1 decoder, we have to decode it "by hand". |
2533 * by our ASN.1 decoder, we have to decode it "by hand". | 2284 */ |
2534 */ | 2285 derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK; |
2535 derTag = responseData->derResponderID.data[0] & SEC_ASN1_TAGNUM_MASK; | 2286 responderIDType = ocsp_ResponderIDTypeByTag(derTag); |
2536 responderIDType = ocsp_ResponderIDTypeByTag(derTag); | 2287 responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType); |
2537 responderIDTemplate = ocsp_ResponderIDTemplateByType(responderIDType); | 2288 |
2538 | 2289 responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID)); |
2539 responderID = PORT_ArenaZAlloc(arena, sizeof(ocspResponderID)); | 2290 if (responderID == NULL) { |
2540 if (responderID == NULL) { | 2291 goto loser; |
2541 » goto loser; | 2292 } |
2542 } | 2293 |
2543 | 2294 rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate, |
2544 rv = SEC_QuickDERDecodeItem(arena, responderID, responderIDTemplate, | 2295 &responseData->derResponderID); |
2545 » » » &responseData->derResponderID); | 2296 if (rv != SECSuccess) { |
2546 if (rv != SECSuccess) { | 2297 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
2547 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | 2298 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
2548 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | 2299 goto loser; |
2549 » goto loser; | 2300 } |
2550 } | 2301 |
2551 | 2302 responderID->responderIDType = responderIDType; |
2552 responderID->responderIDType = responderIDType; | 2303 responseData->responderID = responderID; |
2553 responseData->responderID = responderID; | 2304 |
2554 | 2305 /* |
2555 /* | 2306 * XXX Each SingleResponse also contains a CHOICE, which has to be |
2556 * XXX Each SingleResponse also contains a CHOICE, which has to be | 2307 * fixed up by hand. |
2557 * fixed up by hand. | 2308 */ |
2558 */ | 2309 rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses); |
2559 rv = ocsp_FinishDecodingSingleResponses(arena, responseData->responses); | 2310 if (rv != SECSuccess) { |
2560 if (rv != SECSuccess) { | 2311 goto loser; |
2561 » goto loser; | 2312 } |
2562 } | 2313 |
2563 | 2314 PORT_ArenaUnmark(arena, mark); |
2564 PORT_ArenaUnmark(arena, mark); | 2315 return basicResponse; |
2565 return basicResponse; | |
2566 | 2316 |
2567 loser: | 2317 loser: |
2568 PORT_ArenaRelease(arena, mark); | 2318 PORT_ArenaRelease(arena, mark); |
2569 return NULL; | 2319 return NULL; |
2570 } | 2320 } |
2571 | |
2572 | 2321 |
2573 /* | 2322 /* |
2574 * Decode the responseBytes based on the responseType found in "rbytes", | 2323 * Decode the responseBytes based on the responseType found in "rbytes", |
2575 * leaving the resulting translated/decoded information in there as well. | 2324 * leaving the resulting translated/decoded information in there as well. |
2576 */ | 2325 */ |
2577 static SECStatus | 2326 static SECStatus ocsp_DecodeResponseBytes(PLArenaPool *arena, |
2578 ocsp_DecodeResponseBytes(PLArenaPool *arena, ocspResponseBytes *rbytes) | 2327 ocspResponseBytes *rbytes) { |
2579 { | 2328 if (rbytes == NULL) { |
2580 if (rbytes == NULL) { | 2329 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); |
2581 » PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); | 2330 return SECFailure; |
2582 » return SECFailure; | 2331 } |
2583 } | 2332 |
2584 | 2333 rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType); |
2585 rbytes->responseTypeTag = SECOID_FindOIDTag(&rbytes->responseType); | 2334 switch (rbytes->responseTypeTag) { |
2586 switch (rbytes->responseTypeTag) { | 2335 case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: { |
2587 » case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: | 2336 ocspBasicOCSPResponse *basicResponse; |
2588 » { | 2337 |
2589 » » ocspBasicOCSPResponse *basicResponse; | 2338 basicResponse = ocsp_DecodeBasicOCSPResponse(arena, &rbytes->response); |
2590 | 2339 if (basicResponse == NULL) return SECFailure; |
2591 » » basicResponse = ocsp_DecodeBasicOCSPResponse(arena, | 2340 |
2592 » » » » » » » &rbytes->response); | 2341 rbytes->decodedResponse.basic = basicResponse; |
2593 » » if (basicResponse == NULL) | 2342 } break; |
2594 » » return SECFailure; | 2343 |
2595 | 2344 /* |
2596 » » rbytes->decodedResponse.basic = basicResponse; | 2345 * Add new/future response types here. |
2597 » } | 2346 */ |
2598 » break; | 2347 |
2599 | 2348 default: |
2600 » /* | 2349 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); |
2601 » * Add new/future response types here. | 2350 return SECFailure; |
2602 » */ | 2351 } |
2603 | 2352 |
2604 » default: | 2353 return SECSuccess; |
2605 » PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE); | 2354 } |
2606 » return SECFailure; | |
2607 } | |
2608 | |
2609 return SECSuccess; | |
2610 } | |
2611 | |
2612 | 2355 |
2613 /* | 2356 /* |
2614 * FUNCTION: CERT_DecodeOCSPResponse | 2357 * FUNCTION: CERT_DecodeOCSPResponse |
2615 * Decode a DER encoded OCSP Response. | 2358 * Decode a DER encoded OCSP Response. |
2616 * INPUTS: | 2359 * INPUTS: |
2617 * SECItem *src | 2360 * SECItem *src |
2618 * Pointer to a SECItem holding DER encoded OCSP Response. | 2361 * Pointer to a SECItem holding DER encoded OCSP Response. |
2619 * RETURN: | 2362 * RETURN: |
2620 * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); | 2363 * Returns a pointer to a CERTOCSPResponse (the decoded OCSP Response); |
2621 * the caller is responsible for destroying it. Or NULL if error (either | 2364 * the caller is responsible for destroying it. Or NULL if error (either |
2622 * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), | 2365 * response could not be decoded (SEC_ERROR_OCSP_MALFORMED_RESPONSE), |
2623 * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), | 2366 * it was of an unexpected type (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE), |
2624 * or a low-level or internal error occurred). | 2367 * or a low-level or internal error occurred). |
2625 */ | 2368 */ |
2626 CERTOCSPResponse * | 2369 CERTOCSPResponse *CERT_DecodeOCSPResponse(const SECItem *src) { |
2627 CERT_DecodeOCSPResponse(const SECItem *src) | 2370 PLArenaPool *arena = NULL; |
2628 { | 2371 CERTOCSPResponse *response = NULL; |
2629 PLArenaPool *arena = NULL; | 2372 SECStatus rv = SECFailure; |
2630 CERTOCSPResponse *response = NULL; | 2373 ocspResponseStatus sv; |
2631 SECStatus rv = SECFailure; | 2374 SECItem newSrc; |
2632 ocspResponseStatus sv; | 2375 |
2633 SECItem newSrc; | 2376 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
2634 | 2377 if (arena == NULL) { |
2635 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | 2378 goto loser; |
2636 if (arena == NULL) { | 2379 } |
2637 » goto loser; | 2380 response = |
2638 } | 2381 (CERTOCSPResponse *)PORT_ArenaZAlloc(arena, sizeof(CERTOCSPResponse)); |
2639 response = (CERTOCSPResponse *) PORT_ArenaZAlloc(arena, | 2382 if (response == NULL) { |
2640 » » » » » » sizeof(CERTOCSPResponse)); | 2383 goto loser; |
2641 if (response == NULL) { | 2384 } |
2642 » goto loser; | 2385 response->arena = arena; |
2643 } | 2386 |
2644 response->arena = arena; | 2387 /* copy the DER into the arena, since Quick DER returns data that points |
2645 | 2388 into the DER input, which may get freed by the caller */ |
2646 /* copy the DER into the arena, since Quick DER returns data that points | 2389 rv = SECITEM_CopyItem(arena, &newSrc, src); |
2647 into the DER input, which may get freed by the caller */ | 2390 if (rv != SECSuccess) { |
2648 rv = SECITEM_CopyItem(arena, &newSrc, src); | 2391 goto loser; |
2649 if ( rv != SECSuccess ) { | 2392 } |
2650 » goto loser; | 2393 |
2651 } | 2394 rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, |
2652 | 2395 &newSrc); |
2653 rv = SEC_QuickDERDecodeItem(arena, response, ocsp_OCSPResponseTemplate, &new
Src); | 2396 if (rv != SECSuccess) { |
2654 if (rv != SECSuccess) { | 2397 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
2655 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | 2398 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
2656 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | 2399 goto loser; |
2657 » goto loser; | 2400 } |
2658 } | 2401 |
2659 | 2402 sv = (ocspResponseStatus)DER_GetInteger(&response->responseStatus); |
2660 sv = (ocspResponseStatus) DER_GetInteger(&response->responseStatus); | 2403 response->statusValue = sv; |
2661 response->statusValue = sv; | 2404 if (sv != ocspResponse_successful) { |
2662 if (sv != ocspResponse_successful) { | |
2663 » /* | |
2664 » * If the response status is anything but successful, then we | |
2665 » * are all done with decoding; the status is all there is. | |
2666 » */ | |
2667 » return response; | |
2668 } | |
2669 | |
2670 /* | 2405 /* |
2671 * A successful response contains much more information, still encoded. | 2406 * If the response status is anything but successful, then we |
2672 * Now we need to decode that. | 2407 * are all done with decoding; the status is all there is. |
2673 */ | 2408 */ |
2674 rv = ocsp_DecodeResponseBytes(arena, response->responseBytes); | |
2675 if (rv != SECSuccess) { | |
2676 goto loser; | |
2677 } | |
2678 | |
2679 return response; | 2409 return response; |
| 2410 } |
| 2411 |
| 2412 /* |
| 2413 * A successful response contains much more information, still encoded. |
| 2414 * Now we need to decode that. |
| 2415 */ |
| 2416 rv = ocsp_DecodeResponseBytes(arena, response->responseBytes); |
| 2417 if (rv != SECSuccess) { |
| 2418 goto loser; |
| 2419 } |
| 2420 |
| 2421 return response; |
2680 | 2422 |
2681 loser: | 2423 loser: |
2682 if (arena != NULL) { | 2424 if (arena != NULL) { |
2683 » PORT_FreeArena(arena, PR_FALSE); | 2425 PORT_FreeArena(arena, PR_FALSE); |
2684 } | 2426 } |
2685 return NULL; | 2427 return NULL; |
2686 } | 2428 } |
2687 | 2429 |
2688 /* | 2430 /* |
2689 * The way an OCSPResponse is defined, there are many levels to descend | 2431 * The way an OCSPResponse is defined, there are many levels to descend |
2690 * before getting to the actual response information. And along the way | 2432 * before getting to the actual response information. And along the way |
2691 * we need to check that the response *type* is recognizable, which for | 2433 * we need to check that the response *type* is recognizable, which for |
2692 * now means that it is a BasicOCSPResponse, because that is the only | 2434 * now means that it is a BasicOCSPResponse, because that is the only |
2693 * type currently defined. Rather than force all routines to perform | 2435 * type currently defined. Rather than force all routines to perform |
2694 * a bunch of sanity checking every time they want to work on a response, | 2436 * a bunch of sanity checking every time they want to work on a response, |
2695 * this function isolates that and gives back the interesting part. | 2437 * this function isolates that and gives back the interesting part. |
2696 * Note that no copying is done, this just returns a pointer into the | 2438 * Note that no copying is done, this just returns a pointer into the |
2697 * substructure of the response which is passed in. | 2439 * substructure of the response which is passed in. |
2698 * | 2440 * |
2699 * XXX This routine only works when a valid response structure is passed | 2441 * XXX This routine only works when a valid response structure is passed |
2700 * into it; this is checked with many assertions. Assuming the response | 2442 * into it; this is checked with many assertions. Assuming the response |
2701 * was creating by decoding, it wouldn't make it this far without being | 2443 * was creating by decoding, it wouldn't make it this far without being |
2702 * okay. That is a sufficient assumption since the entire OCSP interface | 2444 * okay. That is a sufficient assumption since the entire OCSP interface |
2703 * is only used internally. When this interface is officially exported, | 2445 * is only used internally. When this interface is officially exported, |
2704 * each assertion below will need to be followed-up with setting an error | 2446 * each assertion below will need to be followed-up with setting an error |
2705 * and returning (null). | 2447 * and returning (null). |
2706 * | 2448 * |
2707 * FUNCTION: ocsp_GetResponseData | 2449 * FUNCTION: ocsp_GetResponseData |
2708 * Returns ocspResponseData structure and a pointer to tbs response | 2450 * Returns ocspResponseData structure and a pointer to tbs response |
2709 * data DER from a valid ocsp response. | 2451 * data DER from a valid ocsp response. |
2710 * INPUTS: | 2452 * INPUTS: |
2711 * CERTOCSPResponse *response | 2453 * CERTOCSPResponse *response |
2712 * structure of a valid ocsp response | 2454 * structure of a valid ocsp response |
2713 * RETURN: | 2455 * RETURN: |
2714 * Returns a pointer to ocspResponseData structure: decoded OCSP response | 2456 * Returns a pointer to ocspResponseData structure: decoded OCSP response |
2715 * data, and a pointer(tbsResponseDataDER) to its undecoded data DER. | 2457 * data, and a pointer(tbsResponseDataDER) to its undecoded data DER. |
2716 */ | 2458 */ |
2717 ocspResponseData * | 2459 ocspResponseData *ocsp_GetResponseData(CERTOCSPResponse *response, |
2718 ocsp_GetResponseData(CERTOCSPResponse *response, SECItem **tbsResponseDataDER) | 2460 SECItem **tbsResponseDataDER) { |
2719 { | 2461 ocspBasicOCSPResponse *basic; |
2720 ocspBasicOCSPResponse *basic; | 2462 ocspResponseData *responseData; |
2721 ocspResponseData *responseData; | 2463 |
2722 | 2464 PORT_Assert(response != NULL); |
2723 PORT_Assert(response != NULL); | 2465 |
2724 | 2466 PORT_Assert(response->responseBytes != NULL); |
2725 PORT_Assert(response->responseBytes != NULL); | 2467 |
2726 | 2468 PORT_Assert(response->responseBytes->responseTypeTag == |
2727 PORT_Assert(response->responseBytes->responseTypeTag | 2469 SEC_OID_PKIX_OCSP_BASIC_RESPONSE); |
2728 » » == SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | 2470 |
2729 | 2471 basic = response->responseBytes->decodedResponse.basic; |
2730 basic = response->responseBytes->decodedResponse.basic; | 2472 PORT_Assert(basic != NULL); |
2731 PORT_Assert(basic != NULL); | 2473 |
2732 | 2474 responseData = basic->tbsResponseData; |
2733 responseData = basic->tbsResponseData; | 2475 PORT_Assert(responseData != NULL); |
2734 PORT_Assert(responseData != NULL); | 2476 |
2735 | 2477 if (tbsResponseDataDER) { |
2736 if (tbsResponseDataDER) { | 2478 *tbsResponseDataDER = &basic->tbsResponseDataDER; |
2737 *tbsResponseDataDER = &basic->tbsResponseDataDER; | 2479 |
2738 | 2480 PORT_Assert((*tbsResponseDataDER)->data != NULL); |
2739 PORT_Assert((*tbsResponseDataDER)->data != NULL); | 2481 PORT_Assert((*tbsResponseDataDER)->len != 0); |
2740 PORT_Assert((*tbsResponseDataDER)->len != 0); | 2482 } |
2741 } | 2483 |
2742 | 2484 return responseData; |
2743 return responseData; | |
2744 } | 2485 } |
2745 | 2486 |
2746 /* | 2487 /* |
2747 * Much like the routine above, except it returns the response signature. | 2488 * Much like the routine above, except it returns the response signature. |
2748 * Again, no copy is done. | 2489 * Again, no copy is done. |
2749 */ | 2490 */ |
2750 ocspSignature * | 2491 ocspSignature *ocsp_GetResponseSignature(CERTOCSPResponse *response) { |
2751 ocsp_GetResponseSignature(CERTOCSPResponse *response) | 2492 ocspBasicOCSPResponse *basic; |
2752 { | 2493 |
2753 ocspBasicOCSPResponse *basic; | 2494 PORT_Assert(response != NULL); |
2754 | 2495 if (NULL == response->responseBytes) { |
2755 PORT_Assert(response != NULL); | 2496 return NULL; |
2756 if (NULL == response->responseBytes) { | 2497 } |
2757 return NULL; | 2498 if (response->responseBytes->responseTypeTag != |
2758 } | 2499 SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { |
2759 if (response->responseBytes->responseTypeTag | 2500 return NULL; |
2760 != SEC_OID_PKIX_OCSP_BASIC_RESPONSE) { | 2501 } |
2761 return NULL; | 2502 basic = response->responseBytes->decodedResponse.basic; |
2762 } | 2503 PORT_Assert(basic != NULL); |
2763 basic = response->responseBytes->decodedResponse.basic; | 2504 |
2764 PORT_Assert(basic != NULL); | 2505 return &(basic->responseSignature); |
2765 | 2506 } |
2766 return &(basic->responseSignature); | |
2767 } | |
2768 | |
2769 | 2507 |
2770 /* | 2508 /* |
2771 * FUNCTION: CERT_DestroyOCSPResponse | 2509 * FUNCTION: CERT_DestroyOCSPResponse |
2772 * Frees an OCSP Response structure. | 2510 * Frees an OCSP Response structure. |
2773 * INPUTS: | 2511 * INPUTS: |
2774 * CERTOCSPResponse *request | 2512 * CERTOCSPResponse *request |
2775 * Pointer to CERTOCSPResponse to be freed. | 2513 * Pointer to CERTOCSPResponse to be freed. |
2776 * RETURN: | 2514 * RETURN: |
2777 * No return value; no errors. | 2515 * No return value; no errors. |
2778 */ | 2516 */ |
2779 void | 2517 void CERT_DestroyOCSPResponse(CERTOCSPResponse *response) { |
2780 CERT_DestroyOCSPResponse(CERTOCSPResponse *response) | 2518 if (response != NULL) { |
2781 { | 2519 ocspSignature *signature = ocsp_GetResponseSignature(response); |
2782 if (response != NULL) { | 2520 if (signature && signature->cert != NULL) |
2783 » ocspSignature *signature = ocsp_GetResponseSignature(response); | 2521 CERT_DestroyCertificate(signature->cert); |
2784 » if (signature && signature->cert != NULL) | 2522 |
2785 » CERT_DestroyCertificate(signature->cert); | 2523 /* |
2786 | 2524 * We should actually never have a response without an arena, |
2787 » /* | 2525 * but check just in case. (If there isn't one, there is not |
2788 » * We should actually never have a response without an arena, | 2526 * much we can do about it...) |
2789 » * but check just in case. (If there isn't one, there is not | 2527 */ |
2790 » * much we can do about it...) | 2528 PORT_Assert(response->arena != NULL); |
2791 » */ | 2529 if (response->arena != NULL) { |
2792 » PORT_Assert(response->arena != NULL); | 2530 PORT_FreeArena(response->arena, PR_FALSE); |
2793 » if (response->arena != NULL) { | 2531 } |
2794 » PORT_FreeArena(response->arena, PR_FALSE); | 2532 } |
2795 » } | 2533 } |
2796 } | |
2797 } | |
2798 | |
2799 | 2534 |
2800 /* | 2535 /* |
2801 * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response): | 2536 * OVERALL OCSP CLIENT SUPPORT (make and send a request, verify a response): |
2802 */ | 2537 */ |
2803 | 2538 |
2804 | |
2805 /* | 2539 /* |
2806 * Pick apart a URL, saving the important things in the passed-in pointers. | 2540 * Pick apart a URL, saving the important things in the passed-in pointers. |
2807 * | 2541 * |
2808 * We expect to find "http://<hostname>[:<port>]/[path]", though we will | 2542 * We expect to find "http://<hostname>[:<port>]/[path]", though we will |
2809 * tolerate that final slash character missing, as well as beginning and | 2543 * tolerate that final slash character missing, as well as beginning and |
2810 * trailing whitespace, and any-case-characters for "http". All of that | 2544 * trailing whitespace, and any-case-characters for "http". All of that |
2811 * tolerance is what complicates this routine. What we want is just to | 2545 * tolerance is what complicates this routine. What we want is just to |
2812 * pick out the hostname, the port, and the path. | 2546 * pick out the hostname, the port, and the path. |
2813 * | 2547 * |
2814 * On a successful return, the caller will need to free the output pieces | 2548 * On a successful return, the caller will need to free the output pieces |
2815 * of hostname and path, which are copies of the values found in the url. | 2549 * of hostname and path, which are copies of the values found in the url. |
2816 */ | 2550 */ |
2817 static SECStatus | 2551 static SECStatus ocsp_ParseURL(const char *url, char **pHostname, |
2818 ocsp_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) | 2552 PRUint16 *pPort, char **pPath) { |
2819 { | 2553 unsigned short port = 80; /* default, in case not in url */ |
2820 unsigned short port = 80;» » /* default, in case not in url */ | 2554 char *hostname = NULL; |
2821 char *hostname = NULL; | 2555 char *path = NULL; |
2822 char *path = NULL; | 2556 const char *save; |
2823 const char *save; | 2557 char c; |
2824 char c; | 2558 int len; |
2825 int len; | 2559 |
2826 | 2560 if (url == NULL) goto loser; |
2827 if (url == NULL) | 2561 |
2828 » goto loser; | 2562 /* |
2829 | 2563 * Skip beginning whitespace. |
2830 /* | 2564 */ |
2831 * Skip beginning whitespace. | 2565 c = *url; |
2832 */ | 2566 while ((c == ' ' || c == '\t') && c != '\0') { |
| 2567 url++; |
2833 c = *url; | 2568 c = *url; |
2834 while ((c == ' ' || c == '\t') && c != '\0') { | 2569 } |
2835 » url++; | 2570 if (c == '\0') goto loser; |
2836 » c = *url; | 2571 |
2837 } | 2572 /* |
2838 if (c == '\0') | 2573 * Confirm, then skip, protocol. (Since we only know how to do http, |
2839 » goto loser; | 2574 * that is all we will accept). |
2840 | 2575 */ |
2841 /* | 2576 if (PORT_Strncasecmp(url, "http://", 7) != 0) goto loser; |
2842 * Confirm, then skip, protocol. (Since we only know how to do http, | 2577 url += 7; |
2843 * that is all we will accept). | 2578 |
2844 */ | 2579 /* |
2845 if (PORT_Strncasecmp(url, "http://", 7) != 0) | 2580 * Whatever comes next is the hostname (or host IP address). We just |
2846 » goto loser; | 2581 * save it aside and then search for its end so we can determine its |
2847 url += 7; | 2582 * length and copy it. |
2848 | 2583 * |
2849 /* | 2584 * XXX Note that because we treat a ':' as a terminator character |
2850 * Whatever comes next is the hostname (or host IP address). We just | 2585 * (and below, we expect that to mean there is a port specification |
2851 * save it aside and then search for its end so we can determine its | 2586 * immediately following), we will not handle IPv6 addresses. That is |
2852 * length and copy it. | 2587 * apparently an acceptable limitation, for the time being. Some day, |
2853 * | 2588 * when there is a clear way to specify a URL with an IPv6 address that |
2854 * XXX Note that because we treat a ':' as a terminator character | 2589 * can be parsed unambiguously, this code should be made to do that. |
2855 * (and below, we expect that to mean there is a port specification | 2590 */ |
2856 * immediately following), we will not handle IPv6 addresses. That is | 2591 save = url; |
2857 * apparently an acceptable limitation, for the time being. Some day, | 2592 c = *url; |
2858 * when there is a clear way to specify a URL with an IPv6 address that | 2593 while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') { |
2859 * can be parsed unambiguously, this code should be made to do that. | 2594 url++; |
2860 */ | 2595 c = *url; |
| 2596 } |
| 2597 len = url - save; |
| 2598 hostname = PORT_Alloc(len + 1); |
| 2599 if (hostname == NULL) goto loser; |
| 2600 PORT_Memcpy(hostname, save, len); |
| 2601 hostname[len] = '\0'; |
| 2602 |
| 2603 /* |
| 2604 * Now we figure out if there was a port specified or not. |
| 2605 * If so, we need to parse it (as a number) and skip it. |
| 2606 */ |
| 2607 if (c == ':') { |
| 2608 url++; |
| 2609 port = (unsigned short)PORT_Atoi(url); |
| 2610 c = *url; |
| 2611 while (c != '/' && c != '\0' && c != ' ' && c != '\t') { |
| 2612 if (c < '0' || c > '9') goto loser; |
| 2613 url++; |
| 2614 c = *url; |
| 2615 } |
| 2616 } |
| 2617 |
| 2618 /* |
| 2619 * Last thing to find is a path. There *should* be a slash, |
| 2620 * if nothing else -- but if there is not we provide one. |
| 2621 */ |
| 2622 if (c == '/') { |
2861 save = url; | 2623 save = url; |
2862 c = *url; | 2624 while (c != '\0' && c != ' ' && c != '\t') { |
2863 while (c != '/' && c != ':' && c != '\0' && c != ' ' && c != '\t') { | 2625 url++; |
2864 » url++; | 2626 c = *url; |
2865 » c = *url; | |
2866 } | 2627 } |
2867 len = url - save; | 2628 len = url - save; |
2868 hostname = PORT_Alloc(len + 1); | 2629 path = PORT_Alloc(len + 1); |
2869 if (hostname == NULL) | 2630 if (path == NULL) goto loser; |
2870 » goto loser; | 2631 PORT_Memcpy(path, save, len); |
2871 PORT_Memcpy(hostname, save, len); | 2632 path[len] = '\0'; |
2872 hostname[len] = '\0'; | 2633 } else { |
2873 | 2634 path = PORT_Strdup("/"); |
2874 /* | 2635 if (path == NULL) goto loser; |
2875 * Now we figure out if there was a port specified or not. | 2636 } |
2876 * If so, we need to parse it (as a number) and skip it. | 2637 |
2877 */ | 2638 *pHostname = hostname; |
2878 if (c == ':') { | 2639 *pPort = port; |
2879 » url++; | 2640 *pPath = path; |
2880 » port = (unsigned short) PORT_Atoi(url); | 2641 return SECSuccess; |
2881 » c = *url; | |
2882 » while (c != '/' && c != '\0' && c != ' ' && c != '\t') { | |
2883 » if (c < '0' || c > '9') | |
2884 » » goto loser; | |
2885 » url++; | |
2886 » c = *url; | |
2887 » } | |
2888 } | |
2889 | |
2890 /* | |
2891 * Last thing to find is a path. There *should* be a slash, | |
2892 * if nothing else -- but if there is not we provide one. | |
2893 */ | |
2894 if (c == '/') { | |
2895 » save = url; | |
2896 » while (c != '\0' && c != ' ' && c != '\t') { | |
2897 » url++; | |
2898 » c = *url; | |
2899 » } | |
2900 » len = url - save; | |
2901 » path = PORT_Alloc(len + 1); | |
2902 » if (path == NULL) | |
2903 » goto loser; | |
2904 » PORT_Memcpy(path, save, len); | |
2905 » path[len] = '\0'; | |
2906 } else { | |
2907 » path = PORT_Strdup("/"); | |
2908 » if (path == NULL) | |
2909 » goto loser; | |
2910 } | |
2911 | |
2912 *pHostname = hostname; | |
2913 *pPort = port; | |
2914 *pPath = path; | |
2915 return SECSuccess; | |
2916 | 2642 |
2917 loser: | 2643 loser: |
2918 if (hostname != NULL) | 2644 if (hostname != NULL) PORT_Free(hostname); |
2919 » PORT_Free(hostname); | 2645 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); |
2920 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | 2646 return SECFailure; |
2921 return SECFailure; | |
2922 } | 2647 } |
2923 | 2648 |
2924 /* | 2649 /* |
2925 * Open a socket to the specified host on the specified port, and return it. | 2650 * Open a socket to the specified host on the specified port, and return it. |
2926 * The host is either a hostname or an IP address. | 2651 * The host is either a hostname or an IP address. |
2927 */ | 2652 */ |
2928 static PRFileDesc * | 2653 static PRFileDesc *ocsp_ConnectToHost(const char *host, PRUint16 port) { |
2929 ocsp_ConnectToHost(const char *host, PRUint16 port) | 2654 PRFileDesc *sock = NULL; |
2930 { | 2655 PRIntervalTime timeout; |
2931 PRFileDesc *sock = NULL; | 2656 PRNetAddr addr; |
2932 PRIntervalTime timeout; | 2657 char *netdbbuf = NULL; |
2933 PRNetAddr addr; | 2658 |
2934 char *netdbbuf = NULL; | 2659 sock = PR_NewTCPSocket(); |
2935 | 2660 if (sock == NULL) goto loser; |
2936 sock = PR_NewTCPSocket(); | 2661 |
2937 if (sock == NULL) | 2662 /* XXX Some day need a way to set (and get?) the following value */ |
2938 » goto loser; | 2663 timeout = PR_SecondsToInterval(30); |
2939 | 2664 |
2940 /* XXX Some day need a way to set (and get?) the following value */ | 2665 /* |
2941 timeout = PR_SecondsToInterval(30); | 2666 * If the following converts an IP address string in "dot notation" |
2942 | 2667 * into a PRNetAddr. If it fails, we assume that is because we do not |
| 2668 * have such an address, but instead a host *name*. In that case we |
| 2669 * then lookup the host by name. Using the NSPR function this way |
| 2670 * means we do not have to have our own logic for distinguishing a |
| 2671 * valid numerical IP address from a hostname. |
| 2672 */ |
| 2673 if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) { |
| 2674 PRIntn hostIndex; |
| 2675 PRHostEnt hostEntry; |
| 2676 |
| 2677 netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE); |
| 2678 if (netdbbuf == NULL) goto loser; |
| 2679 |
| 2680 if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE, &hostEntry) != |
| 2681 PR_SUCCESS) |
| 2682 goto loser; |
| 2683 |
| 2684 hostIndex = 0; |
| 2685 do { |
| 2686 hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr); |
| 2687 if (hostIndex <= 0) goto loser; |
| 2688 } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS); |
| 2689 |
| 2690 PORT_Free(netdbbuf); |
| 2691 } else { |
2943 /* | 2692 /* |
2944 * If the following converts an IP address string in "dot notation" | 2693 * First put the port into the address, then connect. |
2945 * into a PRNetAddr. If it fails, we assume that is because we do not | |
2946 * have such an address, but instead a host *name*. In that case we | |
2947 * then lookup the host by name. Using the NSPR function this way | |
2948 * means we do not have to have our own logic for distinguishing a | |
2949 * valid numerical IP address from a hostname. | |
2950 */ | 2694 */ |
2951 if (PR_StringToNetAddr(host, &addr) != PR_SUCCESS) { | 2695 if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS) |
2952 » PRIntn hostIndex; | 2696 goto loser; |
2953 » PRHostEnt hostEntry; | 2697 if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS) goto loser; |
2954 | 2698 } |
2955 » netdbbuf = PORT_Alloc(PR_NETDB_BUF_SIZE); | 2699 |
2956 » if (netdbbuf == NULL) | 2700 return sock; |
2957 » goto loser; | |
2958 | |
2959 » if (PR_GetHostByName(host, netdbbuf, PR_NETDB_BUF_SIZE, | |
2960 » » » &hostEntry) != PR_SUCCESS) | |
2961 » goto loser; | |
2962 | |
2963 » hostIndex = 0; | |
2964 » do { | |
2965 » hostIndex = PR_EnumerateHostEnt(hostIndex, &hostEntry, port, &addr); | |
2966 » if (hostIndex <= 0) | |
2967 » » goto loser; | |
2968 » } while (PR_Connect(sock, &addr, timeout) != PR_SUCCESS); | |
2969 | |
2970 » PORT_Free(netdbbuf); | |
2971 } else { | |
2972 » /* | |
2973 » * First put the port into the address, then connect. | |
2974 » */ | |
2975 » if (PR_InitializeNetAddr(PR_IpAddrNull, port, &addr) != PR_SUCCESS) | |
2976 » goto loser; | |
2977 » if (PR_Connect(sock, &addr, timeout) != PR_SUCCESS) | |
2978 » goto loser; | |
2979 } | |
2980 | |
2981 return sock; | |
2982 | 2701 |
2983 loser: | 2702 loser: |
2984 if (sock != NULL) | 2703 if (sock != NULL) PR_Close(sock); |
2985 » PR_Close(sock); | 2704 if (netdbbuf != NULL) PORT_Free(netdbbuf); |
2986 if (netdbbuf != NULL) | 2705 return NULL; |
2987 » PORT_Free(netdbbuf); | |
2988 return NULL; | |
2989 } | 2706 } |
2990 | 2707 |
2991 /* | 2708 /* |
2992 * Sends an encoded OCSP request to the server identified by "location", | 2709 * Sends an encoded OCSP request to the server identified by "location", |
2993 * and returns the socket on which it was sent (so can listen for the reply). | 2710 * and returns the socket on which it was sent (so can listen for the reply). |
2994 * "location" is expected to be a valid URL -- an error parsing it produces | 2711 * "location" is expected to be a valid URL -- an error parsing it produces |
2995 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION. Other errors are likely problems | 2712 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION. Other errors are likely problems |
2996 * connecting to it, or writing to it, or allocating memory, and the low-level | 2713 * connecting to it, or writing to it, or allocating memory, and the low-level |
2997 * errors appropriate to the problem will be set. | 2714 * errors appropriate to the problem will be set. |
2998 * if (encodedRequest == NULL) | 2715 * if (encodedRequest == NULL) |
2999 * then location MUST already include the full request, | 2716 * then location MUST already include the full request, |
3000 * including base64 and urlencode, | 2717 * including base64 and urlencode, |
3001 * and the request will be sent with GET | 2718 * and the request will be sent with GET |
3002 * if (encodedRequest != NULL) | 2719 * if (encodedRequest != NULL) |
3003 * then the request will be sent with POST | 2720 * then the request will be sent with POST |
3004 */ | 2721 */ |
3005 static PRFileDesc * | 2722 static PRFileDesc *ocsp_SendEncodedRequest(const char *location, |
3006 ocsp_SendEncodedRequest(const char *location, const SECItem *encodedRequest) | 2723 const SECItem *encodedRequest) { |
3007 { | 2724 char *hostname = NULL; |
3008 char *hostname = NULL; | 2725 char *path = NULL; |
3009 char *path = NULL; | 2726 PRUint16 port; |
3010 PRUint16 port; | 2727 SECStatus rv; |
3011 SECStatus rv; | 2728 PRFileDesc *sock = NULL; |
3012 PRFileDesc *sock = NULL; | 2729 PRFileDesc *returnSock = NULL; |
3013 PRFileDesc *returnSock = NULL; | 2730 char *header = NULL; |
3014 char *header = NULL; | 2731 char portstr[16]; |
3015 char portstr[16]; | 2732 |
| 2733 /* |
| 2734 * Take apart the location, getting the hostname, port, and path. |
| 2735 */ |
| 2736 rv = ocsp_ParseURL(location, &hostname, &port, &path); |
| 2737 if (rv != SECSuccess) goto loser; |
| 2738 |
| 2739 PORT_Assert(hostname != NULL); |
| 2740 PORT_Assert(path != NULL); |
| 2741 |
| 2742 sock = ocsp_ConnectToHost(hostname, port); |
| 2743 if (sock == NULL) goto loser; |
| 2744 |
| 2745 portstr[0] = '\0'; |
| 2746 if (port != 80) { |
| 2747 PR_snprintf(portstr, sizeof(portstr), ":%d", port); |
| 2748 } |
| 2749 |
| 2750 if (!encodedRequest) { |
| 2751 header = PR_smprintf( |
| 2752 "GET %s HTTP/1.0\r\n" |
| 2753 "Host: %s%s\r\n\r\n", |
| 2754 path, hostname, portstr); |
| 2755 if (header == NULL) goto loser; |
3016 | 2756 |
3017 /* | 2757 /* |
3018 * Take apart the location, getting the hostname, port, and path. | 2758 * The NSPR documentation promises that if it can, it will write the full |
3019 */ | 2759 * amount; this will not return a partial value expecting us to loop. |
3020 rv = ocsp_ParseURL(location, &hostname, &port, &path); | 2760 */ |
3021 if (rv != SECSuccess) | 2761 if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) goto loser; |
3022 » goto loser; | 2762 } else { |
3023 | 2763 header = PR_smprintf( |
3024 PORT_Assert(hostname != NULL); | 2764 "POST %s HTTP/1.0\r\n" |
3025 PORT_Assert(path != NULL); | 2765 "Host: %s%s\r\n" |
3026 | 2766 "Content-Type: application/ocsp-request\r\n" |
3027 sock = ocsp_ConnectToHost(hostname, port); | 2767 "Content-Length: %u\r\n\r\n", |
3028 if (sock == NULL) | 2768 path, hostname, portstr, encodedRequest->len); |
3029 » goto loser; | 2769 if (header == NULL) goto loser; |
3030 | 2770 |
3031 portstr[0] = '\0'; | 2771 /* |
3032 if (port != 80) { | 2772 * The NSPR documentation promises that if it can, it will write the full |
3033 PR_snprintf(portstr, sizeof(portstr), ":%d", port); | 2773 * amount; this will not return a partial value expecting us to loop. |
3034 } | 2774 */ |
3035 | 2775 if (PR_Write(sock, header, (PRInt32)PORT_Strlen(header)) < 0) goto loser; |
3036 if (!encodedRequest) { | 2776 |
3037 header = PR_smprintf("GET %s HTTP/1.0\r\n" | 2777 if (PR_Write(sock, encodedRequest->data, (PRInt32)encodedRequest->len) < 0) |
3038 "Host: %s%s\r\n\r\n", | 2778 goto loser; |
3039 path, hostname, portstr); | 2779 } |
3040 if (header == NULL) | 2780 |
3041 goto loser; | 2781 returnSock = sock; |
3042 | 2782 sock = NULL; |
3043 /* | |
3044 * The NSPR documentation promises that if it can, it will write the full | |
3045 * amount; this will not return a partial value expecting us to loop. | |
3046 */ | |
3047 if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0) | |
3048 goto loser; | |
3049 } | |
3050 else { | |
3051 header = PR_smprintf("POST %s HTTP/1.0\r\n" | |
3052 "Host: %s%s\r\n" | |
3053 "Content-Type: application/ocsp-request\r\n" | |
3054 "Content-Length: %u\r\n\r\n", | |
3055 path, hostname, portstr, encodedRequest->len); | |
3056 if (header == NULL) | |
3057 goto loser; | |
3058 | |
3059 /* | |
3060 * The NSPR documentation promises that if it can, it will write the full | |
3061 * amount; this will not return a partial value expecting us to loop. | |
3062 */ | |
3063 if (PR_Write(sock, header, (PRInt32) PORT_Strlen(header)) < 0) | |
3064 goto loser; | |
3065 | |
3066 if (PR_Write(sock, encodedRequest->data, | |
3067 (PRInt32) encodedRequest->len) < 0) | |
3068 goto loser; | |
3069 } | |
3070 | |
3071 returnSock = sock; | |
3072 sock = NULL; | |
3073 | 2783 |
3074 loser: | 2784 loser: |
3075 if (header != NULL) | 2785 if (header != NULL) PORT_Free(header); |
3076 » PORT_Free(header); | 2786 if (sock != NULL) PR_Close(sock); |
3077 if (sock != NULL) | 2787 if (path != NULL) PORT_Free(path); |
3078 » PR_Close(sock); | 2788 if (hostname != NULL) PORT_Free(hostname); |
3079 if (path != NULL) | 2789 |
3080 » PORT_Free(path); | 2790 return returnSock; |
3081 if (hostname != NULL) | |
3082 » PORT_Free(hostname); | |
3083 | |
3084 return returnSock; | |
3085 } | 2791 } |
3086 | 2792 |
3087 /* | 2793 /* |
3088 * Read from "fd" into "buf" -- expect/attempt to read a given number of bytes | 2794 * Read from "fd" into "buf" -- expect/attempt to read a given number of bytes |
3089 * Obviously, stop if hit end-of-stream. Timeout is passed in. | 2795 * Obviously, stop if hit end-of-stream. Timeout is passed in. |
3090 */ | 2796 */ |
3091 | 2797 |
3092 static int | 2798 static int ocsp_read(PRFileDesc *fd, char *buf, int toread, |
3093 ocsp_read(PRFileDesc *fd, char *buf, int toread, PRIntervalTime timeout) | 2799 PRIntervalTime timeout) { |
3094 { | 2800 int total = 0; |
3095 int total = 0; | 2801 |
3096 | 2802 while (total < toread) { |
3097 while (total < toread) | 2803 PRInt32 got; |
3098 { | 2804 |
3099 PRInt32 got; | 2805 got = PR_Recv(fd, buf + total, (PRInt32)(toread - total), 0, timeout); |
3100 | 2806 if (got < 0) { |
3101 got = PR_Recv(fd, buf + total, (PRInt32) (toread - total), 0, timeout); | 2807 if (0 == total) { |
3102 if (got < 0) | 2808 total = -1; /* report the error if we didn't read anything yet */ |
3103 { | 2809 } |
3104 if (0 == total) | 2810 break; |
3105 { | 2811 } else if (got == 0) {/* EOS */ |
3106 total = -1; /* report the error if we didn't read anything yet *
/ | 2812 break; |
3107 } | 2813 } |
3108 break; | 2814 |
3109 } | 2815 total += got; |
3110 else | 2816 } |
3111 if (got == 0) | 2817 |
3112 {» » » /* EOS */ | 2818 return total; |
3113 break; | |
3114 } | |
3115 | |
3116 total += got; | |
3117 } | |
3118 | |
3119 return total; | |
3120 } | 2819 } |
3121 | 2820 |
3122 #define OCSP_BUFSIZE 1024 | 2821 #define OCSP_BUFSIZE 1024 |
3123 | 2822 |
3124 #define AbortHttpDecode(error) \ | 2823 #define AbortHttpDecode(error) \ |
3125 { \ | 2824 { \ |
3126 if (inBuffer) \ | 2825 if (inBuffer) PORT_Free(inBuffer); \ |
3127 PORT_Free(inBuffer); \ | 2826 PORT_SetError(error); \ |
3128 PORT_SetError(error); \ | 2827 return NULL; \ |
3129 return NULL; \ | 2828 } |
3130 } | |
3131 | |
3132 | 2829 |
3133 /* | 2830 /* |
3134 * Reads on the given socket and returns an encoded response when received. | 2831 * Reads on the given socket and returns an encoded response when received. |
3135 * Properly formatted HTTP/1.0 response headers are expected to be read | 2832 * Properly formatted HTTP/1.0 response headers are expected to be read |
3136 * from the socket, preceding a binary-encoded OCSP response. Problems | 2833 * from the socket, preceding a binary-encoded OCSP response. Problems |
3137 * with parsing cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be | 2834 * with parsing cause the error SEC_ERROR_OCSP_BAD_HTTP_RESPONSE to be |
3138 * set; any other problems are likely low-level i/o or memory allocation | 2835 * set; any other problems are likely low-level i/o or memory allocation |
3139 * errors. | 2836 * errors. |
3140 */ | 2837 */ |
3141 static SECItem * | 2838 static SECItem *ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) { |
3142 ocsp_GetEncodedResponse(PLArenaPool *arena, PRFileDesc *sock) | 2839 /* first read HTTP status line and headers */ |
3143 { | 2840 |
3144 /* first read HTTP status line and headers */ | 2841 char *inBuffer = NULL; |
3145 | 2842 PRInt32 offset = 0; |
3146 char* inBuffer = NULL; | 2843 PRInt32 inBufsize = 0; |
3147 PRInt32 offset = 0; | 2844 const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */ |
3148 PRInt32 inBufsize = 0; | 2845 const PRInt32 maxBufSize = 8 * bufSizeIncrement; /* 8 KB max */ |
3149 const PRInt32 bufSizeIncrement = OCSP_BUFSIZE; /* 1 KB at a time */ | 2846 const char *CRLF = "\r\n"; |
3150 const PRInt32 maxBufSize = 8 * bufSizeIncrement ; /* 8 KB max */ | 2847 const PRInt32 CRLFlen = strlen(CRLF); |
3151 const char* CRLF = "\r\n"; | 2848 const char *headerEndMark = "\r\n\r\n"; |
3152 const PRInt32 CRLFlen = strlen(CRLF); | 2849 const PRInt32 markLen = strlen(headerEndMark); |
3153 const char* headerEndMark = "\r\n\r\n"; | 2850 const PRIntervalTime ocsptimeout = |
3154 const PRInt32 markLen = strlen(headerEndMark); | 2851 PR_SecondsToInterval(30); /* hardcoded to 30s for now */ |
3155 const PRIntervalTime ocsptimeout = | 2852 char *headerEnd = NULL; |
3156 PR_SecondsToInterval(30); /* hardcoded to 30s for now */ | 2853 PRBool EOS = PR_FALSE; |
3157 char* headerEnd = NULL; | 2854 const char *httpprotocol = "HTTP/"; |
3158 PRBool EOS = PR_FALSE; | 2855 const PRInt32 httplen = strlen(httpprotocol); |
3159 const char* httpprotocol = "HTTP/"; | 2856 const char *httpcode = NULL; |
3160 const PRInt32 httplen = strlen(httpprotocol); | 2857 const char *contenttype = NULL; |
3161 const char* httpcode = NULL; | 2858 PRInt32 contentlength = 0; |
3162 const char* contenttype = NULL; | 2859 PRInt32 bytesRead = 0; |
3163 PRInt32 contentlength = 0; | 2860 char *statusLineEnd = NULL; |
3164 PRInt32 bytesRead = 0; | 2861 char *space = NULL; |
3165 char* statusLineEnd = NULL; | 2862 char *nextHeader = NULL; |
3166 char* space = NULL; | 2863 SECItem *result = NULL; |
3167 char* nextHeader = NULL; | 2864 |
3168 SECItem* result = NULL; | 2865 /* read up to at least the end of the HTTP headers */ |
3169 | 2866 do { |
3170 /* read up to at least the end of the HTTP headers */ | 2867 inBufsize += bufSizeIncrement; |
3171 do | 2868 inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); |
3172 { | 2869 if (NULL == inBuffer) { |
3173 inBufsize += bufSizeIncrement; | 2870 AbortHttpDecode(SEC_ERROR_NO_MEMORY); |
3174 inBuffer = PORT_Realloc(inBuffer, inBufsize+1); | 2871 } |
3175 if (NULL == inBuffer) | 2872 bytesRead = |
3176 { | 2873 ocsp_read(sock, inBuffer + offset, bufSizeIncrement, ocsptimeout); |
3177 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | 2874 if (bytesRead > 0) { |
3178 } | 2875 PRInt32 searchOffset = (offset - markLen) > 0 ? offset - markLen : 0; |
3179 bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, | 2876 offset += bytesRead; |
3180 ocsptimeout); | 2877 *(inBuffer + offset) = '\0'; /* NULL termination */ |
3181 if (bytesRead > 0) | 2878 headerEnd = strstr((const char *)inBuffer + searchOffset, headerEndMark); |
3182 { | 2879 if (bytesRead < bufSizeIncrement) { |
3183 PRInt32 searchOffset = (offset - markLen) >0 ? offset-markLen : 0; | 2880 /* we read less data than requested, therefore we are at |
3184 offset += bytesRead; | 2881 EOS or there was a read error */ |
3185 *(inBuffer + offset) = '\0'; /* NULL termination */ | 2882 EOS = PR_TRUE; |
3186 headerEnd = strstr((const char*)inBuffer + searchOffset, headerEndMa
rk); | 2883 } |
3187 if (bytesRead < bufSizeIncrement) | 2884 } else { |
3188 { | 2885 /* recv error or EOS */ |
3189 /* we read less data than requested, therefore we are at | 2886 EOS = PR_TRUE; |
3190 EOS or there was a read error */ | 2887 } |
3191 EOS = PR_TRUE; | 2888 } while ((!headerEnd) && (PR_FALSE == EOS) && (inBufsize < maxBufSize)); |
3192 } | 2889 |
3193 } | 2890 if (!headerEnd) { |
3194 else | 2891 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3195 { | 2892 } |
3196 /* recv error or EOS */ | 2893 |
3197 EOS = PR_TRUE; | 2894 /* parse the HTTP status line */ |
3198 } | 2895 statusLineEnd = strstr((const char *)inBuffer, CRLF); |
3199 } while ( (!headerEnd) && (PR_FALSE == EOS) && | 2896 if (!statusLineEnd) { |
3200 (inBufsize < maxBufSize) ); | 2897 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3201 | 2898 } |
3202 if (!headerEnd) | 2899 *statusLineEnd = '\0'; |
3203 { | 2900 |
3204 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2901 /* check for HTTP/ response */ |
3205 } | 2902 space = strchr((const char *)inBuffer, ' '); |
3206 | 2903 if (!space || |
3207 /* parse the HTTP status line */ | 2904 PORT_Strncasecmp((const char *)inBuffer, httpprotocol, httplen) != 0) { |
3208 statusLineEnd = strstr((const char*)inBuffer, CRLF); | 2905 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3209 if (!statusLineEnd) | 2906 } |
3210 { | 2907 |
3211 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2908 /* check the HTTP status code of 200 */ |
3212 } | 2909 httpcode = space + 1; |
3213 *statusLineEnd = '\0'; | 2910 space = strchr(httpcode, ' '); |
3214 | 2911 if (!space) { |
3215 /* check for HTTP/ response */ | 2912 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3216 space = strchr((const char*)inBuffer, ' '); | 2913 } |
3217 if (!space || PORT_Strncasecmp((const char*)inBuffer, httpprotocol, httplen)
!= 0 ) | 2914 *space = 0; |
3218 { | 2915 if (0 != strcmp(httpcode, "200")) { |
3219 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2916 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3220 } | 2917 } |
3221 | 2918 |
3222 /* check the HTTP status code of 200 */ | 2919 /* parse the HTTP headers in the buffer . We only care about |
3223 httpcode = space +1; | 2920 content-type and content-length |
3224 space = strchr(httpcode, ' '); | 2921 */ |
3225 if (!space) | 2922 |
3226 { | 2923 nextHeader = statusLineEnd + CRLFlen; |
3227 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2924 *headerEnd = '\0'; /* terminate */ |
3228 } | 2925 do { |
3229 *space = 0; | 2926 char *thisHeaderEnd = NULL; |
3230 if (0 != strcmp(httpcode, "200")) | 2927 char *value = NULL; |
3231 { | 2928 char *colon = strchr(nextHeader, ':'); |
3232 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2929 |
3233 } | 2930 if (!colon) { |
3234 | 2931 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3235 /* parse the HTTP headers in the buffer . We only care about | 2932 } |
3236 content-type and content-length | 2933 |
3237 */ | 2934 *colon = '\0'; |
3238 | 2935 value = colon + 1; |
3239 nextHeader = statusLineEnd + CRLFlen; | 2936 |
3240 *headerEnd = '\0'; /* terminate */ | 2937 /* jpierre - note : the following code will only handle the basic form |
3241 do | 2938 of HTTP/1.0 response headers, of the form "name: value" . Headers |
3242 { | 2939 split among multiple lines are not supported. This is not common |
3243 char* thisHeaderEnd = NULL; | 2940 and should not be an issue, but it could become one in the |
3244 char* value = NULL; | 2941 future */ |
3245 char* colon = strchr(nextHeader, ':'); | 2942 |
3246 ········ | 2943 if (*value != ' ') { |
3247 if (!colon) | 2944 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3248 { | 2945 } |
3249 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2946 |
3250 } | 2947 value++; |
3251 | 2948 thisHeaderEnd = strstr(value, CRLF); |
3252 *colon = '\0'; | 2949 if (thisHeaderEnd) { |
3253 value = colon + 1; | 2950 *thisHeaderEnd = '\0'; |
3254 | 2951 } |
3255 /* jpierre - note : the following code will only handle the basic form | 2952 |
3256 of HTTP/1.0 response headers, of the form "name: value" . Headers | 2953 if (0 == PORT_Strcasecmp(nextHeader, "content-type")) { |
3257 split among multiple lines are not supported. This is not common | 2954 contenttype = value; |
3258 and should not be an issue, but it could become one in the | 2955 } else if (0 == PORT_Strcasecmp(nextHeader, "content-length")) { |
3259 future */ | 2956 contentlength = atoi(value); |
3260 | 2957 } |
3261 if (*value != ' ') | 2958 |
3262 { | 2959 if (thisHeaderEnd) { |
3263 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2960 nextHeader = thisHeaderEnd + CRLFlen; |
3264 } | 2961 } else { |
3265 | 2962 nextHeader = NULL; |
3266 value++; | 2963 } |
3267 thisHeaderEnd = strstr(value, CRLF); | 2964 |
3268 if (thisHeaderEnd ) | 2965 } while (nextHeader && (nextHeader < (headerEnd + CRLFlen))); |
3269 { | 2966 |
3270 *thisHeaderEnd = '\0'; | 2967 /* check content-type */ |
3271 } | 2968 if (!contenttype || |
3272 | 2969 (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response"))) { |
3273 if (0 == PORT_Strcasecmp(nextHeader, "content-type")) | 2970 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3274 { | 2971 } |
3275 contenttype = value; | 2972 |
3276 } | 2973 /* read the body of the OCSP response */ |
3277 else | 2974 offset = offset - (PRInt32)(headerEnd - (const char *)inBuffer) - markLen; |
3278 if (0 == PORT_Strcasecmp(nextHeader, "content-length")) | 2975 if (offset) { |
3279 { | 2976 /* move all data to the beginning of the buffer */ |
3280 contentlength = atoi(value); | 2977 PORT_Memmove(inBuffer, headerEnd + markLen, offset); |
3281 } | 2978 } |
3282 | 2979 |
3283 if (thisHeaderEnd ) | 2980 /* resize buffer to only what's needed to hold the current response */ |
3284 { | 2981 inBufsize = (1 + (offset - 1) / bufSizeIncrement) * bufSizeIncrement; |
3285 nextHeader = thisHeaderEnd + CRLFlen; | 2982 |
3286 } | 2983 while ((PR_FALSE == EOS) && |
3287 else | 2984 ((contentlength == 0) || (offset < contentlength)) && |
3288 { | 2985 (inBufsize < maxBufSize)) { |
3289 nextHeader = NULL; | 2986 /* we still need to receive more body data */ |
3290 } | 2987 inBufsize += bufSizeIncrement; |
3291 | 2988 inBuffer = PORT_Realloc(inBuffer, inBufsize + 1); |
3292 } while (nextHeader && (nextHeader < (headerEnd + CRLFlen) ) ); | 2989 if (NULL == inBuffer) { |
3293 | 2990 AbortHttpDecode(SEC_ERROR_NO_MEMORY); |
3294 /* check content-type */ | 2991 } |
3295 if (!contenttype || | 2992 bytesRead = |
3296 (0 != PORT_Strcasecmp(contenttype, "application/ocsp-response")) ) | 2993 ocsp_read(sock, inBuffer + offset, bufSizeIncrement, ocsptimeout); |
3297 { | 2994 if (bytesRead > 0) { |
3298 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | 2995 offset += bytesRead; |
3299 } | 2996 if (bytesRead < bufSizeIncrement) { |
3300 | 2997 /* we read less data than requested, therefore we are at |
3301 /* read the body of the OCSP response */ | 2998 EOS or there was a read error */ |
3302 offset = offset - (PRInt32) (headerEnd - (const char*)inBuffer) - markLen; | 2999 EOS = PR_TRUE; |
3303 if (offset) | 3000 } |
3304 { | 3001 } else { |
3305 /* move all data to the beginning of the buffer */ | 3002 /* recv error or EOS */ |
3306 PORT_Memmove(inBuffer, headerEnd + markLen, offset); | 3003 EOS = PR_TRUE; |
3307 } | 3004 } |
3308 | 3005 } |
3309 /* resize buffer to only what's needed to hold the current response */ | 3006 |
3310 inBufsize = (1 + (offset-1) / bufSizeIncrement ) * bufSizeIncrement ; | 3007 if (0 == offset) { |
3311 | 3008 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3312 while ( (PR_FALSE == EOS) && | 3009 } |
3313 ( (contentlength == 0) || (offset < contentlength) ) && | 3010 |
3314 (inBufsize < maxBufSize) | 3011 /* |
3315 ) | 3012 * Now allocate the item to hold the data. |
3316 { | 3013 */ |
3317 /* we still need to receive more body data */ | 3014 result = SECITEM_AllocItem(arena, NULL, offset); |
3318 inBufsize += bufSizeIncrement; | 3015 if (NULL == result) { |
3319 inBuffer = PORT_Realloc(inBuffer, inBufsize+1); | 3016 AbortHttpDecode(SEC_ERROR_NO_MEMORY); |
3320 if (NULL == inBuffer) | 3017 } |
3321 { | 3018 |
3322 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | 3019 /* |
3323 } | 3020 * And copy the data left in the buffer. |
3324 bytesRead = ocsp_read(sock, inBuffer + offset, bufSizeIncrement, | 3021 */ |
3325 ocsptimeout); | 3022 PORT_Memcpy(result->data, inBuffer, offset); |
3326 if (bytesRead > 0) | 3023 |
3327 { | 3024 /* and free the temporary buffer */ |
3328 offset += bytesRead; | 3025 PORT_Free(inBuffer); |
3329 if (bytesRead < bufSizeIncrement) | 3026 return result; |
3330 { | 3027 } |
3331 /* we read less data than requested, therefore we are at | 3028 |
3332 EOS or there was a read error */ | 3029 SECStatus CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, |
3333 EOS = PR_TRUE; | 3030 char **pPath) { |
3334 } | 3031 return ocsp_ParseURL(url, pHostname, pPort, pPath); |
3335 } | |
3336 else | |
3337 { | |
3338 /* recv error or EOS */ | |
3339 EOS = PR_TRUE; | |
3340 } | |
3341 } | |
3342 | |
3343 if (0 == offset) | |
3344 { | |
3345 AbortHttpDecode(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3346 } | |
3347 | |
3348 /* | |
3349 * Now allocate the item to hold the data. | |
3350 */ | |
3351 result = SECITEM_AllocItem(arena, NULL, offset); | |
3352 if (NULL == result) | |
3353 { | |
3354 AbortHttpDecode(SEC_ERROR_NO_MEMORY); | |
3355 } | |
3356 | |
3357 /* | |
3358 * And copy the data left in the buffer. | |
3359 */ | |
3360 PORT_Memcpy(result->data, inBuffer, offset); | |
3361 | |
3362 /* and free the temporary buffer */ | |
3363 PORT_Free(inBuffer); | |
3364 return result; | |
3365 } | |
3366 | |
3367 SECStatus | |
3368 CERT_ParseURL(const char *url, char **pHostname, PRUint16 *pPort, char **pPath) | |
3369 { | |
3370 return ocsp_ParseURL(url, pHostname, pPort, pPath); | |
3371 } | 3032 } |
3372 | 3033 |
3373 /* | 3034 /* |
3374 * Limit the size of http responses we are willing to accept. | 3035 * Limit the size of http responses we are willing to accept. |
3375 */ | 3036 */ |
3376 #define MAX_WANTED_OCSP_RESPONSE_LEN 64*1024 | 3037 #define MAX_WANTED_OCSP_RESPONSE_LEN 64 * 1024 |
3377 | 3038 |
3378 /* if (encodedRequest == NULL) | 3039 /* if (encodedRequest == NULL) |
3379 * then location MUST already include the full request, | 3040 * then location MUST already include the full request, |
3380 * including base64 and urlencode, | 3041 * including base64 and urlencode, |
3381 * and the request will be sent with GET | 3042 * and the request will be sent with GET |
3382 * if (encodedRequest != NULL) | 3043 * if (encodedRequest != NULL) |
3383 * then the request will be sent with POST | 3044 * then the request will be sent with POST |
3384 */ | 3045 */ |
3385 static SECItem * | 3046 static SECItem *fetchOcspHttpClientV1(PLArenaPool *arena, |
3386 fetchOcspHttpClientV1(PLArenaPool *arena,· | 3047 const SEC_HttpClientFcnV1 *hcv1, |
3387 const SEC_HttpClientFcnV1 *hcv1,· | 3048 const char *location, |
3388 const char *location,· | 3049 const SECItem *encodedRequest) { |
3389 const SECItem *encodedRequest) | 3050 char *hostname = NULL; |
3390 { | 3051 char *path = NULL; |
3391 char *hostname = NULL; | 3052 PRUint16 port; |
3392 char *path = NULL; | 3053 SECItem *encodedResponse = NULL; |
3393 PRUint16 port; | 3054 SEC_HTTP_SERVER_SESSION pServerSession = NULL; |
3394 SECItem *encodedResponse = NULL; | 3055 SEC_HTTP_REQUEST_SESSION pRequestSession = NULL; |
3395 SEC_HTTP_SERVER_SESSION pServerSession = NULL; | 3056 PRUint16 myHttpResponseCode; |
3396 SEC_HTTP_REQUEST_SESSION pRequestSession = NULL; | 3057 const char *myHttpResponseData; |
3397 PRUint16 myHttpResponseCode; | 3058 PRUint32 myHttpResponseDataLen; |
3398 const char *myHttpResponseData; | 3059 |
3399 PRUint32 myHttpResponseDataLen; | 3060 if (ocsp_ParseURL(location, &hostname, &port, &path) == SECFailure) { |
3400 | 3061 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); |
3401 if (ocsp_ParseURL(location, &hostname, &port, &path) == SECFailure) { | 3062 goto loser; |
3402 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | 3063 } |
3403 goto loser; | 3064 |
3404 } | 3065 PORT_Assert(hostname != NULL); |
3405 ···· | 3066 PORT_Assert(path != NULL); |
3406 PORT_Assert(hostname != NULL); | 3067 |
3407 PORT_Assert(path != NULL); | 3068 if ((*hcv1->createSessionFcn)(hostname, port, &pServerSession) != |
3408 | 3069 SECSuccess) { |
3409 if ((*hcv1->createSessionFcn)( | 3070 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); |
3410 hostname, | 3071 goto loser; |
3411 port,· | 3072 } |
3412 &pServerSession) != SECSuccess) { | 3073 |
3413 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | 3074 /* We use a non-zero timeout, which means: |
3414 goto loser; | 3075 - the client will use blocking I/O |
3415 } | 3076 - TryFcn will not return WOULD_BLOCK nor a poll descriptor |
3416 | 3077 - it's sufficient to call TryFcn once |
3417 /* We use a non-zero timeout, which means: | 3078 No lock for accessing OCSP_Global.timeoutSeconds, bug 406120 |
3418 - the client will use blocking I/O | 3079 */ |
3419 - TryFcn will not return WOULD_BLOCK nor a poll descriptor | 3080 |
3420 - it's sufficient to call TryFcn once | 3081 if ((*hcv1->createFcn)(pServerSession, "http", path, |
3421 No lock for accessing OCSP_Global.timeoutSeconds, bug 406120 | 3082 encodedRequest ? "POST" : "GET", |
3422 */ | 3083 PR_TicksPerSecond() * OCSP_Global.timeoutSeconds, |
3423 | 3084 &pRequestSession) != SECSuccess) { |
3424 if ((*hcv1->createFcn)( | 3085 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); |
3425 pServerSession, | 3086 goto loser; |
3426 "http", | 3087 } |
3427 path, | 3088 |
3428 encodedRequest ? "POST" : "GET", | 3089 if (encodedRequest && |
3429 PR_TicksPerSecond() * OCSP_Global.timeoutSeconds, | 3090 (*hcv1->setPostDataFcn)(pRequestSession, (char *)encodedRequest->data, |
3430 &pRequestSession) != SECSuccess) { | 3091 encodedRequest->len, |
3431 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | 3092 "application/ocsp-request") != SECSuccess) { |
3432 goto loser; | 3093 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); |
3433 } | 3094 goto loser; |
3434 | 3095 } |
3435 if (encodedRequest && | 3096 |
3436 (*hcv1->setPostDataFcn)( | 3097 /* we don't want result objects larger than this: */ |
3437 pRequestSession, | 3098 myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN; |
3438 (char*)encodedRequest->data, | 3099 |
3439 encodedRequest->len, | 3100 OCSP_TRACE(("OCSP trySendAndReceive %s\n", location)); |
3440 "application/ocsp-request") != SECSuccess) { | 3101 |
3441 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | 3102 if ((*hcv1->trySendAndReceiveFcn)(pRequestSession, NULL, &myHttpResponseCode, |
3442 goto loser; | 3103 NULL, NULL, &myHttpResponseData, |
3443 } | 3104 &myHttpResponseDataLen) != SECSuccess) { |
3444 | 3105 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); |
3445 /* we don't want result objects larger than this: */ | 3106 goto loser; |
3446 myHttpResponseDataLen = MAX_WANTED_OCSP_RESPONSE_LEN; | 3107 } |
3447 | 3108 |
3448 OCSP_TRACE(("OCSP trySendAndReceive %s\n", location)); | 3109 OCSP_TRACE(("OCSP trySendAndReceive result http %d\n", myHttpResponseCode)); |
3449 | 3110 |
3450 if ((*hcv1->trySendAndReceiveFcn)( | 3111 if (myHttpResponseCode != 200) { |
3451 pRequestSession, | 3112 PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); |
3452 NULL, | 3113 goto loser; |
3453 &myHttpResponseCode, | 3114 } |
3454 NULL, | 3115 |
3455 NULL, | 3116 encodedResponse = SECITEM_AllocItem(arena, NULL, myHttpResponseDataLen); |
3456 &myHttpResponseData, | 3117 |
3457 &myHttpResponseDataLen) != SECSuccess) { | 3118 if (!encodedResponse) { |
3458 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | 3119 PORT_SetError(SEC_ERROR_NO_MEMORY); |
3459 goto loser; | 3120 goto loser; |
3460 } | 3121 } |
3461 | 3122 |
3462 OCSP_TRACE(("OCSP trySendAndReceive result http %d\n", myHttpResponseCode)); | 3123 PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen); |
3463 | |
3464 if (myHttpResponseCode != 200) { | |
3465 PORT_SetError(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE); | |
3466 goto loser; | |
3467 } | |
3468 | |
3469 encodedResponse = SECITEM_AllocItem(arena, NULL, myHttpResponseDataLen); | |
3470 | |
3471 if (!encodedResponse) { | |
3472 PORT_SetError(SEC_ERROR_NO_MEMORY); | |
3473 goto loser; | |
3474 } | |
3475 | |
3476 PORT_Memcpy(encodedResponse->data, myHttpResponseData, myHttpResponseDataLen
); | |
3477 | 3124 |
3478 loser: | 3125 loser: |
3479 if (pRequestSession != NULL)· | 3126 if (pRequestSession != NULL) (*hcv1->freeFcn)(pRequestSession); |
3480 (*hcv1->freeFcn)(pRequestSession); | 3127 if (pServerSession != NULL) (*hcv1->freeSessionFcn)(pServerSession); |
3481 if (pServerSession != NULL) | 3128 if (path != NULL) PORT_Free(path); |
3482 (*hcv1->freeSessionFcn)(pServerSession); | 3129 if (hostname != NULL) PORT_Free(hostname); |
3483 if (path != NULL) | 3130 |
3484 » PORT_Free(path); | 3131 return encodedResponse; |
3485 if (hostname != NULL) | |
3486 » PORT_Free(hostname); | |
3487 | |
3488 return encodedResponse; | |
3489 } | 3132 } |
3490 | 3133 |
3491 /* | 3134 /* |
3492 * FUNCTION: CERT_GetEncodedOCSPResponseByMethod | 3135 * FUNCTION: CERT_GetEncodedOCSPResponseByMethod |
3493 * Creates and sends a request to an OCSP responder, then reads and | 3136 * Creates and sends a request to an OCSP responder, then reads and |
3494 * returns the (encoded) response. | 3137 * returns the (encoded) response. |
3495 * INPUTS: | 3138 * INPUTS: |
3496 * PLArenaPool *arena | 3139 * PLArenaPool *arena |
3497 * Pointer to arena from which return value will be allocated. | 3140 * Pointer to arena from which return value will be allocated. |
3498 * If NULL, result will be allocated from the heap (and thus should | 3141 * If NULL, result will be allocated from the heap (and thus should |
3499 * be freed via SECITEM_FreeItem). | 3142 * be freed via SECITEM_FreeItem). |
3500 * CERTCertList *certList | 3143 * CERTCertList *certList |
3501 * A list of certs for which status will be requested. | 3144 * A list of certs for which status will be requested. |
3502 * Note that all of these certificates should have the same issuer, | 3145 * Note that all of these certificates should have the same issuer, |
3503 * or it's expected the response will be signed by a trusted responder. | 3146 * or it's expected the response will be signed by a trusted responder. |
3504 * If the certs need to be broken up into multiple requests, that | 3147 * If the certs need to be broken up into multiple requests, that |
3505 * must be handled by the caller (and thus by having multiple calls | 3148 * must be handled by the caller (and thus by having multiple calls |
3506 * to this routine), who knows about where the request(s) are being | 3149 * to this routine), who knows about where the request(s) are being |
3507 * sent and whether there are any trusted responders in place. | 3150 * sent and whether there are any trusted responders in place. |
3508 * const char *location | 3151 * const char *location |
3509 * The location of the OCSP responder (a URL). | 3152 * The location of the OCSP responder (a URL). |
3510 * const char *method | 3153 * const char *method |
3511 * The protocol method used when retrieving the OCSP response. | 3154 * The protocol method used when retrieving the OCSP response. |
3512 * Currently support: "GET" (http GET) and "POST" (http POST). | 3155 * Currently support: "GET" (http GET) and "POST" (http POST). |
3513 * Additionals methods for http or other protocols might be added | 3156 * Additionals methods for http or other protocols might be added |
3514 * in the future. | 3157 * in the future. |
3515 * PRTime time | 3158 * PRTime time |
3516 * Indicates the time for which the certificate status is to be | 3159 * Indicates the time for which the certificate status is to be |
3517 * determined -- this may be used in the search for the cert's issuer | 3160 * determined -- this may be used in the search for the cert's issuer |
3518 * but has no other bearing on the operation. | 3161 * but has no other bearing on the operation. |
3519 * PRBool addServiceLocator | 3162 * PRBool addServiceLocator |
3520 * If true, the Service Locator extension should be added to the | 3163 * If true, the Service Locator extension should be added to the |
3521 * single request(s) for each cert. | 3164 * single request(s) for each cert. |
3522 * CERTCertificate *signerCert | 3165 * CERTCertificate *signerCert |
3523 * If non-NULL, means sign the request using this cert. Otherwise, | 3166 * If non-NULL, means sign the request using this cert. Otherwise, |
3524 * do not sign. | 3167 * do not sign. |
3525 * void *pwArg | 3168 * void *pwArg |
3526 * Pointer to argument for password prompting, if needed. (Definitely | 3169 * Pointer to argument for password prompting, if needed. (Definitely |
3527 * not needed if not signing.) | 3170 * not needed if not signing.) |
3528 * OUTPUTS: | 3171 * OUTPUTS: |
3529 * CERTOCSPRequest **pRequest | 3172 * CERTOCSPRequest **pRequest |
3530 * Pointer in which to store the OCSP request created for the given | 3173 * Pointer in which to store the OCSP request created for the given |
3531 * list of certificates. It is only filled in if the entire operation | 3174 * list of certificates. It is only filled in if the entire operation |
3532 * is successful and the pointer is not null -- and in that case the | 3175 * is successful and the pointer is not null -- and in that case the |
3533 * caller is then reponsible for destroying it. | 3176 * caller is then reponsible for destroying it. |
3534 * RETURN: | 3177 * RETURN: |
3535 * Returns a pointer to the SECItem holding the response. | 3178 * Returns a pointer to the SECItem holding the response. |
3536 * On error, returns null with error set describing the reason: | 3179 * On error, returns null with error set describing the reason: |
3537 * SEC_ERROR_UNKNOWN_ISSUER | 3180 * SEC_ERROR_UNKNOWN_ISSUER |
3538 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | 3181 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION |
3539 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE | 3182 * SEC_ERROR_OCSP_BAD_HTTP_RESPONSE |
3540 * Other errors are low-level problems (no memory, bad database, etc.). | 3183 * Other errors are low-level problems (no memory, bad database, etc.). |
3541 */ | 3184 */ |
3542 SECItem * | 3185 SECItem *CERT_GetEncodedOCSPResponseByMethod( |
3543 CERT_GetEncodedOCSPResponseByMethod(PLArenaPool *arena, CERTCertList *certList, | 3186 PLArenaPool *arena, CERTCertList *certList, const char *location, |
3544 » » » » const char *location, const char *method, | 3187 const char *method, PRTime time, PRBool addServiceLocator, |
3545 » » » » PRTime time, PRBool addServiceLocator, | 3188 CERTCertificate *signerCert, void *pwArg, CERTOCSPRequest **pRequest) { |
3546 » » » » CERTCertificate *signerCert, void *pwArg, | 3189 CERTOCSPRequest *request; |
3547 » » » » CERTOCSPRequest **pRequest) | 3190 request = |
3548 { | 3191 CERT_CreateOCSPRequest(certList, time, addServiceLocator, signerCert); |
3549 CERTOCSPRequest *request; | 3192 if (!request) return NULL; |
3550 request = CERT_CreateOCSPRequest(certList, time, addServiceLocator, | 3193 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, |
3551 signerCert); | 3194 method, time, addServiceLocator, |
3552 if (!request) | 3195 pwArg, pRequest); |
3553 return NULL; | |
3554 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, | |
3555 method, time, addServiceLocato
r, | |
3556 pwArg, pRequest); | |
3557 } | 3196 } |
3558 | 3197 |
3559 /* | 3198 /* |
3560 * FUNCTION: CERT_GetEncodedOCSPResponse | 3199 * FUNCTION: CERT_GetEncodedOCSPResponse |
3561 * Creates and sends a request to an OCSP responder, then reads and | 3200 * Creates and sends a request to an OCSP responder, then reads and |
3562 * returns the (encoded) response. | 3201 * returns the (encoded) response. |
3563 * | 3202 * |
3564 * This is a legacy API that behaves identically to | 3203 * This is a legacy API that behaves identically to |
3565 * CERT_GetEncodedOCSPResponseByMethod using the "POST" method. | 3204 * CERT_GetEncodedOCSPResponseByMethod using the "POST" method. |
3566 */ | 3205 */ |
3567 SECItem * | 3206 SECItem *CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, |
3568 CERT_GetEncodedOCSPResponse(PLArenaPool *arena, CERTCertList *certList, | 3207 const char *location, PRTime time, |
3569 » » » const char *location, PRTime time, | 3208 PRBool addServiceLocator, |
3570 » » » PRBool addServiceLocator, | 3209 CERTCertificate *signerCert, void *pwArg, |
3571 » » » CERTCertificate *signerCert, void *pwArg, | 3210 CERTOCSPRequest **pRequest) { |
3572 » » » CERTOCSPRequest **pRequest) | 3211 return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location, "POST", |
3573 { | 3212 time, addServiceLocator, |
3574 return CERT_GetEncodedOCSPResponseByMethod(arena, certList, location, | 3213 signerCert, pwArg, pRequest); |
3575 » » » » » "POST", time, addServiceLocator, | |
3576 » » » » » signerCert, pwArg, pRequest); | |
3577 } | 3214 } |
3578 | 3215 |
3579 /* URL encode a buffer that consists of base64-characters, only, | 3216 /* URL encode a buffer that consists of base64-characters, only, |
3580 * which means we can use a simple encoding logic. | 3217 * which means we can use a simple encoding logic. |
3581 * | 3218 * |
3582 * No output buffer size checking is performed. | 3219 * No output buffer size checking is performed. |
3583 * You should call the function twice, to calculate the required buffer size. | 3220 * You should call the function twice, to calculate the required buffer size. |
3584 * | 3221 * |
3585 * If the outpufBuf parameter is NULL, the function will calculate the | 3222 * If the outpufBuf parameter is NULL, the function will calculate the |
3586 * required size, including the trailing zero termination char. | 3223 * required size, including the trailing zero termination char. |
3587 * | 3224 * |
3588 * The function returns the number of bytes calculated or produced. | 3225 * The function returns the number of bytes calculated or produced. |
3589 */ | 3226 */ |
3590 size_t | 3227 size_t ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf) { |
3591 ocsp_UrlEncodeBase64Buf(const char *base64Buf, char *outputBuf) | 3228 const char *walkInput = NULL; |
3592 { | 3229 char *walkOutput = outputBuf; |
3593 const char *walkInput = NULL; | 3230 size_t count = 0; |
3594 char *walkOutput = outputBuf; | 3231 |
3595 size_t count = 0; | 3232 for (walkInput = base64Buf; *walkInput; ++walkInput) { |
3596 ···· | 3233 char c = *walkInput; |
3597 for (walkInput=base64Buf; *walkInput; ++walkInput) { | 3234 if (isspace(c)) continue; |
3598 » char c = *walkInput; | 3235 switch (c) { |
3599 » if (isspace(c)) | 3236 case '+': |
3600 » continue; | 3237 if (outputBuf) { |
3601 » switch (c) { | 3238 strcpy(walkOutput, "%2B"); |
3602 » case '+': | 3239 walkOutput += 3; |
3603 » if (outputBuf) { | 3240 } |
3604 » » strcpy(walkOutput, "%2B"); | 3241 count += 3; |
3605 » » walkOutput += 3; | 3242 break; |
3606 » } | 3243 case '/': |
3607 » count += 3; | 3244 if (outputBuf) { |
3608 » break; | 3245 strcpy(walkOutput, "%2F"); |
3609 » case '/': | 3246 walkOutput += 3; |
3610 » if (outputBuf) { | 3247 } |
3611 » » strcpy(walkOutput, "%2F"); | 3248 count += 3; |
3612 » » walkOutput += 3; | 3249 break; |
3613 » } | 3250 case '=': |
3614 » count += 3; | 3251 if (outputBuf) { |
3615 » break; | 3252 strcpy(walkOutput, "%3D"); |
3616 » case '=': | 3253 walkOutput += 3; |
3617 » if (outputBuf) { | 3254 } |
3618 » » strcpy(walkOutput, "%3D"); | 3255 count += 3; |
3619 » » walkOutput += 3; | 3256 break; |
3620 » } | 3257 default: |
3621 » count += 3; | 3258 if (outputBuf) { |
3622 » break; | 3259 *walkOutput = *walkInput; |
3623 » default: | 3260 ++walkOutput; |
3624 » if (outputBuf) { | 3261 } |
3625 » » *walkOutput = *walkInput; | 3262 ++count; |
3626 » » ++walkOutput; | 3263 break; |
3627 » } | 3264 } |
3628 » ++count; | 3265 } |
3629 » break; | 3266 if (outputBuf) { |
3630 » } | 3267 *walkOutput = 0; |
3631 } | 3268 } |
3632 if (outputBuf) { | 3269 ++count; |
3633 » *walkOutput = 0; | 3270 return count; |
3634 } | 3271 } |
3635 ++count; | 3272 |
3636 return count; | 3273 enum { |
3637 } | 3274 max_get_request_size = 255 |
3638 | 3275 }; /* defined by RFC2560 */ |
3639 enum { max_get_request_size = 255 }; /* defined by RFC2560 */ | 3276 |
3640 | 3277 static SECItem *cert_GetOCSPResponse(PLArenaPool *arena, const char *location, |
3641 static SECItem * | 3278 const SECItem *encodedRequest); |
3642 cert_GetOCSPResponse(PLArenaPool *arena, const char *location,· | 3279 |
3643 const SECItem *encodedRequest); | 3280 static SECItem *ocsp_GetEncodedOCSPResponseFromRequest( |
3644 | 3281 PLArenaPool *arena, CERTOCSPRequest *request, const char *location, |
3645 static SECItem * | 3282 const char *method, PRTime time, PRBool addServiceLocator, void *pwArg, |
3646 ocsp_GetEncodedOCSPResponseFromRequest(PLArenaPool *arena, | 3283 CERTOCSPRequest **pRequest) { |
3647 CERTOCSPRequest *request, | 3284 SECItem *encodedRequest = NULL; |
3648 const char *location, | 3285 SECItem *encodedResponse = NULL; |
3649 » » » » const char *method, | 3286 SECStatus rv; |
3650 » » » » PRTime time, | 3287 |
3651 PRBool addServiceLocator, | 3288 if (!location || !*location) /* location should be at least one byte */ |
3652 void *pwArg, | 3289 goto loser; |
3653 CERTOCSPRequest **pRequest) | 3290 |
3654 { | 3291 rv = CERT_AddOCSPAcceptableResponses(request, |
3655 SECItem *encodedRequest = NULL; | 3292 SEC_OID_PKIX_OCSP_BASIC_RESPONSE); |
3656 SECItem *encodedResponse = NULL; | 3293 if (rv != SECSuccess) goto loser; |
3657 SECStatus rv; | 3294 |
3658 | 3295 encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg); |
3659 if (!location || !*location) /* location should be at least one byte */ | 3296 if (encodedRequest == NULL) goto loser; |
3660 goto loser; | 3297 |
3661 | 3298 if (!strcmp(method, "GET")) { |
3662 rv = CERT_AddOCSPAcceptableResponses(request, | 3299 encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest); |
3663 » » » » » SEC_OID_PKIX_OCSP_BASIC_RESPONSE); | 3300 } else if (!strcmp(method, "POST")) { |
3664 if (rv != SECSuccess) | 3301 encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); |
3665 » goto loser; | 3302 } else { |
3666 | 3303 goto loser; |
3667 encodedRequest = CERT_EncodeOCSPRequest(NULL, request, pwArg); | 3304 } |
3668 if (encodedRequest == NULL) | 3305 |
3669 » goto loser; | 3306 if (encodedResponse != NULL && pRequest != NULL) { |
3670 | 3307 *pRequest = request; |
3671 if (!strcmp(method, "GET")) { | 3308 request = NULL; /* avoid destroying below */ |
3672 encodedResponse = cert_GetOCSPResponse(arena, location, encodedRequest); | 3309 } |
3673 } | |
3674 else if (!strcmp(method, "POST")) { | |
3675 encodedResponse = CERT_PostOCSPRequest(arena, location, encodedRequest); | |
3676 } | |
3677 else { | |
3678 » goto loser; | |
3679 } | |
3680 | |
3681 if (encodedResponse != NULL && pRequest != NULL) { | |
3682 » *pRequest = request; | |
3683 » request = NULL;»» » /* avoid destroying below */ | |
3684 } | |
3685 | 3310 |
3686 loser: | 3311 loser: |
3687 if (request != NULL) | 3312 if (request != NULL) CERT_DestroyOCSPRequest(request); |
3688 » CERT_DestroyOCSPRequest(request); | 3313 if (encodedRequest != NULL) SECITEM_FreeItem(encodedRequest, PR_TRUE); |
3689 if (encodedRequest != NULL) | 3314 return encodedResponse; |
3690 » SECITEM_FreeItem(encodedRequest, PR_TRUE); | 3315 } |
3691 return encodedResponse; | 3316 |
3692 } | 3317 static SECItem *cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, |
3693 | 3318 const SECItem *encodedRequest); |
3694 static SECItem * | |
3695 cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,· | |
3696 const SECItem *encodedRequest); | |
3697 | 3319 |
3698 /* using HTTP GET method */ | 3320 /* using HTTP GET method */ |
3699 static SECItem * | 3321 static SECItem *cert_GetOCSPResponse(PLArenaPool *arena, const char *location, |
3700 cert_GetOCSPResponse(PLArenaPool *arena, const char *location,· | 3322 const SECItem *encodedRequest) { |
3701 const SECItem *encodedRequest) | 3323 char *walkOutput = NULL; |
3702 { | 3324 char *fullGetPath = NULL; |
3703 char *walkOutput = NULL; | 3325 size_t pathLength; |
3704 char *fullGetPath = NULL; | 3326 PRInt32 urlEncodedBufLength; |
3705 size_t pathLength; | 3327 size_t base64size; |
3706 PRInt32 urlEncodedBufLength; | 3328 char b64ReqBuf[max_get_request_size + 1]; |
3707 size_t base64size; | 3329 size_t slashLengthIfNeeded = 0; |
3708 char b64ReqBuf[max_get_request_size+1]; | 3330 size_t getURLLength; |
3709 size_t slashLengthIfNeeded = 0; | 3331 SECItem *item; |
3710 size_t getURLLength; | 3332 |
3711 SECItem *item; | 3333 if (!location || !*location) { |
3712 | 3334 return NULL; |
3713 if (!location || !*location) { | 3335 } |
3714 » return NULL; | 3336 |
3715 } | 3337 pathLength = strlen(location); |
3716 ···· | 3338 if (location[pathLength - 1] != '/') { |
3717 pathLength = strlen(location); | 3339 slashLengthIfNeeded = 1; |
3718 if (location[pathLength-1] != '/') { | 3340 } |
3719 » slashLengthIfNeeded = 1; | 3341 |
3720 } | 3342 /* Calculation as documented by PL_Base64Encode function. |
3721 ···· | 3343 * Use integer conversion to avoid having to use function ceil(). |
3722 /* Calculation as documented by PL_Base64Encode function. | 3344 */ |
3723 * Use integer conversion to avoid having to use function ceil(). | 3345 base64size = (((encodedRequest->len + 2) / 3) * 4); |
3724 */ | 3346 if (base64size > max_get_request_size) { |
3725 base64size = (((encodedRequest->len +2)/3) * 4); | 3347 return NULL; |
3726 if (base64size > max_get_request_size) { | 3348 } |
3727 » return NULL; | 3349 memset(b64ReqBuf, 0, sizeof(b64ReqBuf)); |
3728 } | 3350 PL_Base64Encode((const char *)encodedRequest->data, encodedRequest->len, |
3729 memset(b64ReqBuf, 0, sizeof(b64ReqBuf)); | 3351 b64ReqBuf); |
3730 PL_Base64Encode((const char*)encodedRequest->data, encodedRequest->len, | 3352 |
3731 » » b64ReqBuf); | 3353 urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL); |
3732 | 3354 getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded; |
3733 urlEncodedBufLength = ocsp_UrlEncodeBase64Buf(b64ReqBuf, NULL); | 3355 |
3734 getURLLength = pathLength + urlEncodedBufLength + slashLengthIfNeeded; | 3356 /* urlEncodedBufLength already contains room for the zero terminator. |
3735 ···· | 3357 * Add another if we must add the '/' char. |
3736 /* urlEncodedBufLength already contains room for the zero terminator. | 3358 */ |
3737 * Add another if we must add the '/' char. | 3359 if (arena) { |
3738 */ | 3360 fullGetPath = (char *)PORT_ArenaAlloc(arena, getURLLength); |
3739 if (arena) { | 3361 } else { |
3740 fullGetPath = (char*)PORT_ArenaAlloc(arena, getURLLength); | 3362 fullGetPath = (char *)PORT_Alloc(getURLLength); |
3741 } else { | 3363 } |
3742 fullGetPath = (char*)PORT_Alloc(getURLLength); | 3364 if (!fullGetPath) { |
3743 } | 3365 return NULL; |
3744 if (!fullGetPath) { | 3366 } |
3745 » return NULL; | 3367 |
3746 } | 3368 strcpy(fullGetPath, location); |
3747 · | 3369 walkOutput = fullGetPath + pathLength; |
3748 strcpy(fullGetPath, location); | 3370 |
3749 walkOutput = fullGetPath + pathLength; | 3371 if (walkOutput > fullGetPath && slashLengthIfNeeded) { |
3750 ···· | 3372 strcpy(walkOutput, "/"); |
3751 if (walkOutput > fullGetPath && slashLengthIfNeeded) { | 3373 ++walkOutput; |
3752 strcpy(walkOutput, "/"); | 3374 } |
3753 ++walkOutput; | 3375 ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput); |
3754 } | 3376 |
3755 ocsp_UrlEncodeBase64Buf(b64ReqBuf, walkOutput); | 3377 item = cert_FetchOCSPResponse(arena, fullGetPath, NULL); |
3756 | 3378 if (!arena) { |
3757 item = cert_FetchOCSPResponse(arena, fullGetPath, NULL); | 3379 PORT_Free(fullGetPath); |
3758 if (!arena) { | 3380 } |
3759 » PORT_Free(fullGetPath); | 3381 return item; |
3760 } | 3382 } |
3761 return item; | 3383 |
3762 } | 3384 SECItem *CERT_PostOCSPRequest(PLArenaPool *arena, const char *location, |
3763 | 3385 const SECItem *encodedRequest) { |
3764 SECItem * | 3386 return cert_FetchOCSPResponse(arena, location, encodedRequest); |
3765 CERT_PostOCSPRequest(PLArenaPool *arena, const char *location,· | 3387 } |
3766 const SECItem *encodedRequest) | 3388 |
3767 { | 3389 SECItem *cert_FetchOCSPResponse(PLArenaPool *arena, const char *location, |
3768 return cert_FetchOCSPResponse(arena, location, encodedRequest); | 3390 const SECItem *encodedRequest) { |
3769 } | 3391 const SEC_HttpClientFcn *registeredHttpClient; |
3770 | 3392 SECItem *encodedResponse = NULL; |
3771 SECItem * | 3393 |
3772 cert_FetchOCSPResponse(PLArenaPool *arena, const char *location,· | 3394 registeredHttpClient = SEC_GetRegisteredHttpClient(); |
3773 const SECItem *encodedRequest) | 3395 |
3774 { | 3396 if (registeredHttpClient && registeredHttpClient->version == 1) { |
3775 const SEC_HttpClientFcn *registeredHttpClient; | 3397 encodedResponse = |
3776 SECItem *encodedResponse = NULL; | 3398 fetchOcspHttpClientV1(arena, ®isteredHttpClient->fcnTable.ftable1, |
3777 | 3399 location, encodedRequest); |
3778 registeredHttpClient = SEC_GetRegisteredHttpClient(); | 3400 } else { |
3779 | 3401 /* use internal http client */ |
3780 if (registeredHttpClient && registeredHttpClient->version == 1) { | 3402 PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest); |
3781 encodedResponse = fetchOcspHttpClientV1( | 3403 if (sock) { |
3782 arena, | 3404 encodedResponse = ocsp_GetEncodedResponse(arena, sock); |
3783 ®isteredHttpClient->fcnTable.ftable1, | 3405 PR_Close(sock); |
3784 location, | 3406 } |
3785 encodedRequest); | 3407 } |
3786 } else { | 3408 |
3787 /* use internal http client */ | 3409 return encodedResponse; |
3788 PRFileDesc *sock = ocsp_SendEncodedRequest(location, encodedRequest); | 3410 } |
3789 if (sock) { | 3411 |
3790 encodedResponse = ocsp_GetEncodedResponse(arena, sock); | 3412 static SECItem *ocsp_GetEncodedOCSPResponseForSingleCert( |
3791 PR_Close(sock); | 3413 PLArenaPool *arena, CERTOCSPCertID *certID, CERTCertificate *singleCert, |
3792 } | 3414 const char *location, const char *method, PRTime time, |
3793 } | 3415 PRBool addServiceLocator, void *pwArg, CERTOCSPRequest **pRequest) { |
3794 | 3416 CERTOCSPRequest *request; |
3795 return encodedResponse; | 3417 request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time, |
3796 } | 3418 addServiceLocator, NULL); |
3797 | 3419 if (!request) return NULL; |
3798 static SECItem * | 3420 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, |
3799 ocsp_GetEncodedOCSPResponseForSingleCert(PLArenaPool *arena, | 3421 method, time, addServiceLocator, |
3800 CERTOCSPCertID *certID, | 3422 pwArg, pRequest); |
3801 CERTCertificate *singleCert,· | |
3802 const char *location, | |
3803 » » » » » const char *method, | |
3804 » » » » » PRTime time, | |
3805 PRBool addServiceLocator, | |
3806 void *pwArg, | |
3807 CERTOCSPRequest **pRequest) | |
3808 { | |
3809 CERTOCSPRequest *request; | |
3810 request = cert_CreateSingleCertOCSPRequest(certID, singleCert, time,· | |
3811 addServiceLocator, NULL); | |
3812 if (!request) | |
3813 return NULL; | |
3814 return ocsp_GetEncodedOCSPResponseFromRequest(arena, request, location, | |
3815 method, time, addServiceLocato
r, | |
3816 pwArg, pRequest); | |
3817 } | 3423 } |
3818 | 3424 |
3819 /* Checks a certificate for the key usage extension of OCSP signer. */ | 3425 /* Checks a certificate for the key usage extension of OCSP signer. */ |
3820 static PRBool | 3426 static PRBool ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert) { |
3821 ocsp_CertIsOCSPDesignatedResponder(CERTCertificate *cert) | 3427 SECStatus rv; |
3822 { | 3428 SECItem extItem; |
3823 SECStatus rv; | 3429 SECItem **oids; |
3824 SECItem extItem; | 3430 SECItem *oid; |
3825 SECItem **oids; | 3431 SECOidTag oidTag; |
3826 SECItem *oid; | 3432 PRBool retval; |
3827 SECOidTag oidTag; | 3433 CERTOidSequence *oidSeq = NULL; |
3828 PRBool retval; | 3434 |
3829 CERTOidSequence *oidSeq = NULL; | 3435 extItem.data = NULL; |
3830 | 3436 rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem); |
3831 | 3437 if (rv != SECSuccess) { |
3832 extItem.data = NULL; | 3438 goto loser; |
3833 rv = CERT_FindCertExtension(cert, SEC_OID_X509_EXT_KEY_USAGE, &extItem); | 3439 } |
3834 if ( rv != SECSuccess ) { | 3440 |
3835 » goto loser; | 3441 oidSeq = CERT_DecodeOidSequence(&extItem); |
3836 } | 3442 if (oidSeq == NULL) { |
3837 | 3443 goto loser; |
3838 oidSeq = CERT_DecodeOidSequence(&extItem); | 3444 } |
3839 if ( oidSeq == NULL ) { | 3445 |
3840 » goto loser; | 3446 oids = oidSeq->oids; |
3841 } | 3447 while (*oids != NULL) { |
3842 | 3448 oid = *oids; |
3843 oids = oidSeq->oids; | 3449 |
3844 while ( *oids != NULL ) { | 3450 oidTag = SECOID_FindOIDTag(oid); |
3845 » oid = *oids; | 3451 |
3846 »······· | 3452 if (oidTag == SEC_OID_OCSP_RESPONDER) { |
3847 » oidTag = SECOID_FindOIDTag(oid); | 3453 goto success; |
3848 »······· | 3454 } |
3849 » if ( oidTag == SEC_OID_OCSP_RESPONDER ) { | 3455 |
3850 » goto success; | 3456 oids++; |
3851 » } | 3457 } |
3852 »······· | |
3853 » oids++; | |
3854 } | |
3855 | 3458 |
3856 loser: | 3459 loser: |
3857 retval = PR_FALSE; | 3460 retval = PR_FALSE; |
3858 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | 3461 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); |
3859 goto done; | 3462 goto done; |
3860 success: | 3463 success: |
3861 retval = PR_TRUE; | 3464 retval = PR_TRUE; |
3862 done: | 3465 done: |
3863 if ( extItem.data != NULL ) { | 3466 if (extItem.data != NULL) { |
3864 » PORT_Free(extItem.data); | 3467 PORT_Free(extItem.data); |
3865 } | 3468 } |
3866 if ( oidSeq != NULL ) { | 3469 if (oidSeq != NULL) { |
3867 » CERT_DestroyOidSequence(oidSeq); | 3470 CERT_DestroyOidSequence(oidSeq); |
3868 } | 3471 } |
3869 ···· | 3472 |
3870 return(retval); | 3473 return (retval); |
3871 } | 3474 } |
3872 | 3475 |
3873 | 3476 #ifdef LATER /* \ |
3874 #ifdef LATER» /* | 3477 * XXX This function is not currently used, but will \ |
3875 » » * XXX This function is not currently used, but will | 3478 * be needed later when we do revocation checking of \ |
3876 » » * be needed later when we do revocation checking of | 3479 * the responder certificate. Of course, it may need \ |
3877 » » * the responder certificate. Of course, it may need | 3480 * revising then, if the cert extension interface has \ |
3878 » » * revising then, if the cert extension interface has | 3481 * changed. (Hopefully it will!) \ |
3879 » » * changed. (Hopefully it will!) | 3482 */ |
3880 » » */ | |
3881 | 3483 |
3882 /* Checks a certificate to see if it has the OCSP no check extension. */ | 3484 /* Checks a certificate to see if it has the OCSP no check extension. */ |
3883 static PRBool | 3485 static PRBool ocsp_CertHasNoCheckExtension(CERTCertificate *cert) { |
3884 ocsp_CertHasNoCheckExtension(CERTCertificate *cert) | 3486 SECStatus rv; |
3885 { | 3487 |
3886 SECStatus rv; | 3488 rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK, NULL); |
3887 ···· | 3489 if (rv == SECSuccess) { |
3888 rv = CERT_FindCertExtension(cert, SEC_OID_PKIX_OCSP_NO_CHECK,· | 3490 return PR_TRUE; |
3889 » » » » NULL); | 3491 } |
3890 if (rv == SECSuccess) { | 3492 return PR_FALSE; |
3891 » return PR_TRUE; | 3493 } |
3892 } | 3494 #endif /* LATER */ |
| 3495 |
| 3496 static PRBool ocsp_matchcert(SECItem *certIndex, CERTCertificate *testCert) { |
| 3497 SECItem item; |
| 3498 unsigned char buf[HASH_LENGTH_MAX]; |
| 3499 |
| 3500 item.data = buf; |
| 3501 item.len = SHA1_LENGTH; |
| 3502 |
| 3503 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_SHA1, &item) == |
| 3504 NULL) { |
3893 return PR_FALSE; | 3505 return PR_FALSE; |
3894 } | 3506 } |
3895 #endif» /* LATER */ | 3507 if (SECITEM_ItemsAreEqual(certIndex, &item)) { |
3896 | 3508 return PR_TRUE; |
3897 static PRBool | 3509 } |
3898 ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert) | 3510 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD5, &item) == |
3899 { | 3511 NULL) { |
3900 SECItem item; | |
3901 unsigned char buf[HASH_LENGTH_MAX]; | |
3902 | |
3903 item.data = buf; | |
3904 item.len = SHA1_LENGTH; | |
3905 | |
3906 if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_SHA1, | |
3907 » » » » &item) == NULL) { | |
3908 » return PR_FALSE; | |
3909 } | |
3910 if (SECITEM_ItemsAreEqual(certIndex,&item)) { | |
3911 » return PR_TRUE; | |
3912 } | |
3913 if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD5, | |
3914 » » » » &item) == NULL) { | |
3915 » return PR_FALSE; | |
3916 } | |
3917 if (SECITEM_ItemsAreEqual(certIndex,&item)) { | |
3918 » return PR_TRUE; | |
3919 } | |
3920 if (CERT_GetSubjectPublicKeyDigest(NULL,testCert,SEC_OID_MD2, | |
3921 » » » » &item) == NULL) { | |
3922 » return PR_FALSE; | |
3923 } | |
3924 if (SECITEM_ItemsAreEqual(certIndex,&item)) { | |
3925 » return PR_TRUE; | |
3926 } | |
3927 | |
3928 return PR_FALSE; | 3512 return PR_FALSE; |
3929 } | 3513 } |
3930 | 3514 if (SECITEM_ItemsAreEqual(certIndex, &item)) { |
3931 static CERTCertificate * | 3515 return PR_TRUE; |
3932 ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle,CERTOCSPCertID *certID); | 3516 } |
3933 | 3517 if (CERT_GetSubjectPublicKeyDigest(NULL, testCert, SEC_OID_MD2, &item) == |
3934 CERTCertificate * | 3518 NULL) { |
3935 ocsp_GetSignerCertificate(CERTCertDBHandle *handle, ocspResponseData *tbsData, | 3519 return PR_FALSE; |
3936 ocspSignature *signature, CERTCertificate *issuer) | 3520 } |
3937 { | 3521 if (SECITEM_ItemsAreEqual(certIndex, &item)) { |
3938 CERTCertificate **certs = NULL; | 3522 return PR_TRUE; |
3939 CERTCertificate *signerCert = NULL; | 3523 } |
3940 SECStatus rv = SECFailure; | 3524 |
3941 PRBool lookupByName = PR_TRUE; | 3525 return PR_FALSE; |
3942 void *certIndex = NULL; | 3526 } |
3943 int certCount = 0; | 3527 |
3944 | 3528 static CERTCertificate *ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, |
3945 PORT_Assert(tbsData->responderID != NULL); | 3529 CERTOCSPCertID *certID); |
3946 switch (tbsData->responderID->responderIDType) { | 3530 |
| 3531 CERTCertificate *ocsp_GetSignerCertificate(CERTCertDBHandle *handle, |
| 3532 ocspResponseData *tbsData, |
| 3533 ocspSignature *signature, |
| 3534 CERTCertificate *issuer) { |
| 3535 CERTCertificate **certs = NULL; |
| 3536 CERTCertificate *signerCert = NULL; |
| 3537 SECStatus rv = SECFailure; |
| 3538 PRBool lookupByName = PR_TRUE; |
| 3539 void *certIndex = NULL; |
| 3540 int certCount = 0; |
| 3541 |
| 3542 PORT_Assert(tbsData->responderID != NULL); |
| 3543 switch (tbsData->responderID->responderIDType) { |
3947 case ocspResponderID_byName: | 3544 case ocspResponderID_byName: |
3948 » lookupByName = PR_TRUE; | 3545 lookupByName = PR_TRUE; |
3949 » certIndex = &tbsData->derResponderID; | 3546 certIndex = &tbsData->derResponderID; |
3950 » break; | 3547 break; |
3951 case ocspResponderID_byKey: | 3548 case ocspResponderID_byKey: |
3952 » lookupByName = PR_FALSE; | 3549 lookupByName = PR_FALSE; |
3953 » certIndex = &tbsData->responderID->responderIDValue.keyHash; | 3550 certIndex = &tbsData->responderID->responderIDValue.keyHash; |
3954 » break; | 3551 break; |
3955 case ocspResponderID_other: | 3552 case ocspResponderID_other: |
3956 default: | 3553 default: |
3957 » PORT_Assert(0); | 3554 PORT_Assert(0); |
3958 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | 3555 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
3959 » return NULL; | 3556 return NULL; |
3960 } | 3557 } |
3961 | 3558 |
| 3559 /* |
| 3560 * If the signature contains some certificates as well, temporarily |
| 3561 * import them in case they are needed for verification. |
| 3562 * |
| 3563 * Note that the result of this is that each cert in "certs" needs |
| 3564 * to be destroyed. |
| 3565 */ |
| 3566 if (signature->derCerts != NULL) { |
| 3567 for (; signature->derCerts[certCount] != NULL; certCount++) { |
| 3568 /* just counting */ |
| 3569 } |
| 3570 rv = |
| 3571 CERT_ImportCerts(handle, certUsageStatusResponder, certCount, |
| 3572 signature->derCerts, &certs, PR_FALSE, PR_FALSE, NULL); |
| 3573 if (rv != SECSuccess) goto finish; |
| 3574 } |
| 3575 |
| 3576 /* |
| 3577 * Now look up the certificate that did the signing. |
| 3578 * The signer can be specified either by name or by key hash. |
| 3579 */ |
| 3580 if (lookupByName) { |
| 3581 SECItem *crIndex = (SECItem *)certIndex; |
| 3582 SECItem encodedName; |
| 3583 PLArenaPool *arena; |
| 3584 |
| 3585 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 3586 if (arena != NULL) { |
| 3587 |
| 3588 rv = SEC_QuickDERDecodeItem(arena, &encodedName, |
| 3589 ocsp_ResponderIDDerNameTemplate, crIndex); |
| 3590 if (rv != SECSuccess) { |
| 3591 if (PORT_GetError() == SEC_ERROR_BAD_DER) |
| 3592 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
| 3593 } else { |
| 3594 signerCert = CERT_FindCertByName(handle, &encodedName); |
| 3595 } |
| 3596 PORT_FreeArena(arena, PR_FALSE); |
| 3597 } |
| 3598 } else { |
3962 /* | 3599 /* |
3963 * If the signature contains some certificates as well, temporarily | 3600 * The signer is either 1) a known issuer CA we passed in, |
3964 * import them in case they are needed for verification. | 3601 * 2) the default OCSP responder, or 3) an intermediate CA |
3965 * | 3602 * passed in the cert list to use. Figure out which it is. |
3966 * Note that the result of this is that each cert in "certs" needs | |
3967 * to be destroyed. | |
3968 */ | 3603 */ |
3969 if (signature->derCerts != NULL) { | 3604 int i; |
3970 » for (; signature->derCerts[certCount] != NULL; certCount++) { | 3605 CERTCertificate *responder = ocsp_CertGetDefaultResponder(handle, NULL); |
3971 » /* just counting */ | 3606 if (responder && ocsp_matchcert(certIndex, responder)) { |
3972 » } | 3607 signerCert = CERT_DupCertificate(responder); |
3973 » rv = CERT_ImportCerts(handle, certUsageStatusResponder, certCount, | 3608 } else if (issuer && ocsp_matchcert(certIndex, issuer)) { |
3974 » signature->derCerts, &certs, | 3609 signerCert = CERT_DupCertificate(issuer); |
3975 » PR_FALSE, PR_FALSE, NULL); | 3610 } |
3976 » if (rv != SECSuccess) | 3611 for (i = 0; (signerCert == NULL) && (i < certCount); i++) { |
3977 » goto finish; | 3612 if (ocsp_matchcert(certIndex, certs[i])) { |
3978 } | 3613 signerCert = CERT_DupCertificate(certs[i]); |
3979 | 3614 } |
3980 /* | 3615 } |
3981 * Now look up the certificate that did the signing. | 3616 if (signerCert == NULL) { |
3982 * The signer can be specified either by name or by key hash. | 3617 PORT_SetError(SEC_ERROR_UNKNOWN_CERT); |
3983 */ | 3618 } |
3984 if (lookupByName) { | 3619 } |
3985 » SECItem *crIndex = (SECItem*)certIndex; | |
3986 » SECItem encodedName; | |
3987 » PLArenaPool *arena; | |
3988 | |
3989 » arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
3990 » if (arena != NULL) { | |
3991 | |
3992 » rv = SEC_QuickDERDecodeItem(arena, &encodedName, | |
3993 » ocsp_ResponderIDDerNameTemplate, | |
3994 » crIndex); | |
3995 » if (rv != SECSuccess) { | |
3996 » if (PORT_GetError() == SEC_ERROR_BAD_DER) | |
3997 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | |
3998 » } else { | |
3999 » signerCert = CERT_FindCertByName(handle, &encodedName); | |
4000 » } | |
4001 » PORT_FreeArena(arena, PR_FALSE); | |
4002 » } | |
4003 } else { | |
4004 » /* | |
4005 » * The signer is either 1) a known issuer CA we passed in, | |
4006 » * 2) the default OCSP responder, or 3) an intermediate CA | |
4007 » * passed in the cert list to use. Figure out which it is. | |
4008 » */ | |
4009 » int i; | |
4010 » CERTCertificate *responder =· | |
4011 ocsp_CertGetDefaultResponder(handle, NULL); | |
4012 » if (responder && ocsp_matchcert(certIndex,responder)) { | |
4013 » signerCert = CERT_DupCertificate(responder); | |
4014 » } else if (issuer && ocsp_matchcert(certIndex,issuer)) { | |
4015 » signerCert = CERT_DupCertificate(issuer); | |
4016 » }· | |
4017 » for (i=0; (signerCert == NULL) && (i < certCount); i++) { | |
4018 » if (ocsp_matchcert(certIndex,certs[i])) { | |
4019 » » signerCert = CERT_DupCertificate(certs[i]); | |
4020 » } | |
4021 » } | |
4022 » if (signerCert == NULL) { | |
4023 » PORT_SetError(SEC_ERROR_UNKNOWN_CERT); | |
4024 » } | |
4025 } | |
4026 | 3620 |
4027 finish: | 3621 finish: |
4028 if (certs != NULL) { | 3622 if (certs != NULL) { |
4029 » CERT_DestroyCertArray(certs, certCount); | 3623 CERT_DestroyCertArray(certs, certCount); |
4030 } | 3624 } |
4031 | 3625 |
4032 return signerCert; | 3626 return signerCert; |
4033 } | 3627 } |
4034 | 3628 |
4035 SECStatus | 3629 SECStatus ocsp_VerifyResponseSignature(CERTCertificate *signerCert, |
4036 ocsp_VerifyResponseSignature(CERTCertificate *signerCert, | 3630 ocspSignature *signature, |
4037 ocspSignature *signature, | 3631 SECItem *tbsResponseDataDER, |
4038 SECItem *tbsResponseDataDER, | 3632 void *pwArg) { |
4039 void *pwArg) | 3633 SECKEYPublicKey *signerKey = NULL; |
4040 { | 3634 SECStatus rv = SECFailure; |
4041 SECKEYPublicKey *signerKey = NULL; | 3635 CERTSignedData signedData; |
4042 SECStatus rv = SECFailure; | 3636 |
4043 CERTSignedData signedData; | 3637 /* |
4044 | 3638 * Now get the public key from the signer's certificate; we need |
4045 /* | 3639 * it to perform the verification. |
4046 * Now get the public key from the signer's certificate; we need | 3640 */ |
4047 * it to perform the verification. | 3641 signerKey = CERT_ExtractPublicKey(signerCert); |
4048 */ | 3642 if (signerKey == NULL) { |
4049 signerKey = CERT_ExtractPublicKey(signerCert); | 3643 return SECFailure; |
4050 if (signerKey == NULL) { | 3644 } |
4051 return SECFailure; | 3645 |
4052 } | 3646 /* |
4053 | 3647 * We copy the signature data *pointer* and length, so that we can |
4054 /* | 3648 * modify the length without damaging the original copy. This is a |
4055 * We copy the signature data *pointer* and length, so that we can | 3649 * simple copy, not a dup, so no destroy/free is necessary. |
4056 * modify the length without damaging the original copy. This is a | 3650 */ |
4057 * simple copy, not a dup, so no destroy/free is necessary. | 3651 signedData.signature = signature->signature; |
4058 */ | 3652 signedData.signatureAlgorithm = signature->signatureAlgorithm; |
4059 signedData.signature = signature->signature; | 3653 signedData.data = *tbsResponseDataDER; |
4060 signedData.signatureAlgorithm = signature->signatureAlgorithm; | 3654 |
4061 signedData.data = *tbsResponseDataDER; | 3655 rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); |
4062 | 3656 if (rv != SECSuccess && |
4063 rv = CERT_VerifySignedDataWithPublicKey(&signedData, signerKey, pwArg); | 3657 (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE || |
4064 if (rv != SECSuccess && | 3658 PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { |
4065 (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE ||· | 3659 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); |
4066 PORT_GetError() == SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)) { | 3660 } |
4067 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); | 3661 |
4068 } | 3662 if (signerKey != NULL) { |
4069 | 3663 SECKEY_DestroyPublicKey(signerKey); |
4070 if (signerKey != NULL) { | 3664 } |
4071 SECKEY_DestroyPublicKey(signerKey); | 3665 |
4072 } | 3666 return rv; |
4073 | 3667 } |
4074 return rv; | |
4075 } | |
4076 | |
4077 | 3668 |
4078 /* | 3669 /* |
4079 * FUNCTION: CERT_VerifyOCSPResponseSignature | 3670 * FUNCTION: CERT_VerifyOCSPResponseSignature |
4080 * Check the signature on an OCSP Response. Will also perform a | 3671 * Check the signature on an OCSP Response. Will also perform a |
4081 * verification of the signer's certificate. Note, however, that a | 3672 * verification of the signer's certificate. Note, however, that a |
4082 * successful verification does not make any statement about the | 3673 * successful verification does not make any statement about the |
4083 * signer's *authority* to provide status for the certificate(s), | 3674 * signer's *authority* to provide status for the certificate(s), |
4084 * that must be checked individually for each certificate. | 3675 * that must be checked individually for each certificate. |
4085 * INPUTS: | 3676 * INPUTS: |
4086 * CERTOCSPResponse *response | 3677 * CERTOCSPResponse *response |
(...skipping 10 matching lines...) Expand all Loading... |
4097 * Returns SECSuccess when signature is valid, anything else means invalid. | 3688 * Returns SECSuccess when signature is valid, anything else means invalid. |
4098 * Possible errors set: | 3689 * Possible errors set: |
4099 * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID | 3690 * SEC_ERROR_OCSP_MALFORMED_RESPONSE - unknown type of ResponderID |
4100 * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time | 3691 * SEC_ERROR_INVALID_TIME - bad format of "ProducedAt" time |
4101 * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found | 3692 * SEC_ERROR_UNKNOWN_SIGNER - signer's cert could not be found |
4102 * SEC_ERROR_BAD_SIGNATURE - the signature did not verify | 3693 * SEC_ERROR_BAD_SIGNATURE - the signature did not verify |
4103 * Other errors are any of the many possible failures in cert verification | 3694 * Other errors are any of the many possible failures in cert verification |
4104 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | 3695 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when |
4105 * verifying the signer's cert, or low-level problems (no memory, etc.) | 3696 * verifying the signer's cert, or low-level problems (no memory, etc.) |
4106 */ | 3697 */ |
4107 SECStatus | 3698 SECStatus CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response, |
4108 CERT_VerifyOCSPResponseSignature(CERTOCSPResponse *response,»··· | 3699 CERTCertDBHandle *handle, |
4109 » » » » CERTCertDBHandle *handle, void *pwArg, | 3700 void *pwArg, |
4110 » » » » CERTCertificate **pSignerCert, | 3701 CERTCertificate **pSignerCert, |
4111 » » » » CERTCertificate *issuer) | 3702 CERTCertificate *issuer) { |
4112 { | 3703 SECItem *tbsResponseDataDER; |
4113 SECItem *tbsResponseDataDER; | 3704 CERTCertificate *signerCert = NULL; |
4114 CERTCertificate *signerCert = NULL; | 3705 SECStatus rv = SECFailure; |
4115 SECStatus rv = SECFailure; | 3706 PRTime producedAt; |
4116 PRTime producedAt; | 3707 |
4117 | 3708 /* ocsp_DecodeBasicOCSPResponse will fail if asn1 decoder is unable |
4118 /* ocsp_DecodeBasicOCSPResponse will fail if asn1 decoder is unable | 3709 * to properly decode tbsData (see the function and |
4119 * to properly decode tbsData (see the function and | 3710 * ocsp_BasicOCSPResponseTemplate). Thus, tbsData can not be |
4120 * ocsp_BasicOCSPResponseTemplate). Thus, tbsData can not be | 3711 * equal to null */ |
4121 * equal to null */ | 3712 ocspResponseData *tbsData = |
4122 ocspResponseData *tbsData = ocsp_GetResponseData(response, | 3713 ocsp_GetResponseData(response, &tbsResponseDataDER); |
4123 &tbsResponseDataDER); | 3714 ocspSignature *signature = ocsp_GetResponseSignature(response); |
4124 ocspSignature *signature = ocsp_GetResponseSignature(response); | 3715 |
4125 | 3716 if (!signature) { |
4126 if (!signature) { | 3717 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); |
4127 PORT_SetError(SEC_ERROR_OCSP_BAD_SIGNATURE); | 3718 return SECFailure; |
4128 return SECFailure; | 3719 } |
4129 } | 3720 |
4130 | 3721 /* |
| 3722 * If this signature has already gone through verification, just |
| 3723 * return the cached result. |
| 3724 */ |
| 3725 if (signature->wasChecked) { |
| 3726 if (signature->status == SECSuccess) { |
| 3727 if (pSignerCert != NULL) |
| 3728 *pSignerCert = CERT_DupCertificate(signature->cert); |
| 3729 } else { |
| 3730 PORT_SetError(signature->failureReason); |
| 3731 } |
| 3732 return signature->status; |
| 3733 } |
| 3734 |
| 3735 signerCert = ocsp_GetSignerCertificate(handle, tbsData, signature, issuer); |
| 3736 if (signerCert == NULL) { |
| 3737 rv = SECFailure; |
| 3738 if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) { |
| 3739 /* Make the error a little more specific. */ |
| 3740 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); |
| 3741 } |
| 3742 goto finish; |
| 3743 } |
| 3744 |
| 3745 /* |
| 3746 * We could mark this true at the top of this function, or always |
| 3747 * below at "finish", but if the problem was just that we could not |
| 3748 * find the signer's cert, leave that as if the signature hasn't |
| 3749 * been checked in case a subsequent call might have better luck. |
| 3750 */ |
| 3751 signature->wasChecked = PR_TRUE; |
| 3752 |
| 3753 /* |
| 3754 * The function will also verify the signer certificate; we |
| 3755 * need to tell it *when* that certificate must be valid -- for our |
| 3756 * purposes we expect it to be valid when the response was signed. |
| 3757 * The value of "producedAt" is the signing time. |
| 3758 */ |
| 3759 rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt); |
| 3760 if (rv != SECSuccess) goto finish; |
| 3761 |
| 3762 /* |
| 3763 * Just because we have a cert does not mean it is any good; check |
| 3764 * it for validity, trust and usage. |
| 3765 */ |
| 3766 if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) { |
| 3767 rv = SECSuccess; |
| 3768 } else { |
| 3769 SECCertUsage certUsage; |
| 3770 if (CERT_IsCACert(signerCert, NULL)) { |
| 3771 certUsage = certUsageAnyCA; |
| 3772 } else { |
| 3773 certUsage = certUsageStatusResponder; |
| 3774 } |
| 3775 rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage, |
| 3776 producedAt, CERT_VERIFYCERT_SKIP_OCSP, pwArg, |
| 3777 NULL); |
| 3778 if (rv != SECSuccess) { |
| 3779 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); |
| 3780 goto finish; |
| 3781 } |
| 3782 } |
| 3783 |
| 3784 rv = ocsp_VerifyResponseSignature(signerCert, signature, tbsResponseDataDER, |
| 3785 pwArg); |
| 3786 |
| 3787 finish: |
| 3788 if (signature->wasChecked) signature->status = rv; |
| 3789 |
| 3790 if (rv != SECSuccess) { |
| 3791 signature->failureReason = PORT_GetError(); |
| 3792 if (signerCert != NULL) CERT_DestroyCertificate(signerCert); |
| 3793 } else { |
4131 /* | 3794 /* |
4132 * If this signature has already gone through verification, just | 3795 * Save signer's certificate in signature. |
4133 * return the cached result. | |
4134 */ | 3796 */ |
4135 if (signature->wasChecked) { | 3797 signature->cert = signerCert; |
4136 » if (signature->status == SECSuccess) { | 3798 if (pSignerCert != NULL) { |
4137 » if (pSignerCert != NULL) | 3799 /* |
4138 » » *pSignerCert = CERT_DupCertificate(signature->cert); | 3800 * Pass pointer to signer's certificate back to our caller, |
4139 » } else { | 3801 * who is also now responsible for destroying it. |
4140 » PORT_SetError(signature->failureReason); | 3802 */ |
4141 » } | 3803 *pSignerCert = CERT_DupCertificate(signerCert); |
4142 » return signature->status; | 3804 } |
4143 } | 3805 } |
4144 | 3806 |
4145 signerCert = ocsp_GetSignerCertificate(handle, tbsData, | 3807 return rv; |
4146 signature, issuer); | |
4147 if (signerCert == NULL) { | |
4148 » rv = SECFailure; | |
4149 » if (PORT_GetError() == SEC_ERROR_UNKNOWN_CERT) { | |
4150 » /* Make the error a little more specific. */ | |
4151 » PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | |
4152 » } | |
4153 » goto finish; | |
4154 } | |
4155 | |
4156 /* | |
4157 * We could mark this true at the top of this function, or always | |
4158 * below at "finish", but if the problem was just that we could not | |
4159 * find the signer's cert, leave that as if the signature hasn't | |
4160 * been checked in case a subsequent call might have better luck. | |
4161 */ | |
4162 signature->wasChecked = PR_TRUE; | |
4163 | |
4164 /* | |
4165 * The function will also verify the signer certificate; we | |
4166 * need to tell it *when* that certificate must be valid -- for our | |
4167 * purposes we expect it to be valid when the response was signed. | |
4168 * The value of "producedAt" is the signing time. | |
4169 */ | |
4170 rv = DER_GeneralizedTimeToTime(&producedAt, &tbsData->producedAt); | |
4171 if (rv != SECSuccess) | |
4172 goto finish; | |
4173 | |
4174 /* | |
4175 * Just because we have a cert does not mean it is any good; check | |
4176 * it for validity, trust and usage. | |
4177 */ | |
4178 if (ocsp_CertIsOCSPDefaultResponder(handle, signerCert)) { | |
4179 rv = SECSuccess; | |
4180 } else { | |
4181 SECCertUsage certUsage; | |
4182 if (CERT_IsCACert(signerCert, NULL)) { | |
4183 certUsage = certUsageAnyCA; | |
4184 } else { | |
4185 certUsage = certUsageStatusResponder; | |
4186 } | |
4187 rv = cert_VerifyCertWithFlags(handle, signerCert, PR_TRUE, certUsage, | |
4188 producedAt, CERT_VERIFYCERT_SKIP_OCSP, | |
4189 pwArg, NULL); | |
4190 if (rv != SECSuccess) { | |
4191 PORT_SetError(SEC_ERROR_OCSP_INVALID_SIGNING_CERT); | |
4192 goto finish; | |
4193 } | |
4194 } | |
4195 | |
4196 rv = ocsp_VerifyResponseSignature(signerCert, signature, | |
4197 tbsResponseDataDER, | |
4198 pwArg); | |
4199 | |
4200 finish: | |
4201 if (signature->wasChecked) | |
4202 » signature->status = rv; | |
4203 | |
4204 if (rv != SECSuccess) { | |
4205 » signature->failureReason = PORT_GetError(); | |
4206 » if (signerCert != NULL) | |
4207 » CERT_DestroyCertificate(signerCert); | |
4208 } else { | |
4209 » /* | |
4210 » * Save signer's certificate in signature. | |
4211 » */ | |
4212 » signature->cert = signerCert; | |
4213 » if (pSignerCert != NULL) { | |
4214 » /* | |
4215 » * Pass pointer to signer's certificate back to our caller, | |
4216 » * who is also now responsible for destroying it. | |
4217 » */ | |
4218 » *pSignerCert = CERT_DupCertificate(signerCert); | |
4219 » } | |
4220 } | |
4221 | |
4222 return rv; | |
4223 } | 3808 } |
4224 | 3809 |
4225 /* | 3810 /* |
4226 * See if the request's certID and the single response's certID match. | 3811 * See if the request's certID and the single response's certID match. |
4227 * This can be easy or difficult, depending on whether the same hash | 3812 * This can be easy or difficult, depending on whether the same hash |
4228 * algorithm was used. | 3813 * algorithm was used. |
4229 */ | 3814 */ |
4230 static PRBool | 3815 static PRBool ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, |
4231 ocsp_CertIDsMatch(CERTOCSPCertID *requestCertID, | 3816 CERTOCSPCertID *responseCertID) { |
4232 » » CERTOCSPCertID *responseCertID) | 3817 PRBool match = PR_FALSE; |
4233 { | 3818 SECOidTag hashAlg; |
4234 PRBool match = PR_FALSE; | 3819 SECItem *keyHash = NULL; |
4235 SECOidTag hashAlg; | 3820 SECItem *nameHash = NULL; |
4236 SECItem *keyHash = NULL; | 3821 |
4237 SECItem *nameHash = NULL; | 3822 /* |
4238 | 3823 * In order to match, they must have the same issuer and the same |
| 3824 * serial number. |
| 3825 * |
| 3826 * We just compare the easier things first. |
| 3827 */ |
| 3828 if (SECITEM_CompareItem(&requestCertID->serialNumber, |
| 3829 &responseCertID->serialNumber) != SECEqual) { |
| 3830 goto done; |
| 3831 } |
| 3832 |
| 3833 /* |
| 3834 * Make sure the "parameters" are not too bogus. Since we encoded |
| 3835 * requestCertID->hashAlgorithm, we don't need to check it. |
| 3836 */ |
| 3837 if (responseCertID->hashAlgorithm.parameters.len > 2) { |
| 3838 goto done; |
| 3839 } |
| 3840 if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm, |
| 3841 &responseCertID->hashAlgorithm.algorithm) == |
| 3842 SECEqual) { |
4239 /* | 3843 /* |
4240 * In order to match, they must have the same issuer and the same | 3844 * If the hash algorithms match then we can do a simple compare |
4241 * serial number. | 3845 * of the hash values themselves. |
4242 * | |
4243 * We just compare the easier things first. | |
4244 */ | 3846 */ |
4245 if (SECITEM_CompareItem(&requestCertID->serialNumber, | 3847 if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, |
4246 » » » &responseCertID->serialNumber) != SECEqual) { | 3848 &responseCertID->issuerNameHash) == SECEqual) && |
4247 » goto done; | 3849 (SECITEM_CompareItem(&requestCertID->issuerKeyHash, |
4248 } | 3850 &responseCertID->issuerKeyHash) == SECEqual)) { |
4249 | 3851 match = PR_TRUE; |
4250 /* | 3852 } |
4251 * Make sure the "parameters" are not too bogus. Since we encoded | 3853 goto done; |
4252 * requestCertID->hashAlgorithm, we don't need to check it. | 3854 } |
4253 */ | 3855 |
4254 if (responseCertID->hashAlgorithm.parameters.len > 2) { | 3856 hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm); |
4255 » goto done; | 3857 switch (hashAlg) { |
4256 } | |
4257 if (SECITEM_CompareItem(&requestCertID->hashAlgorithm.algorithm, | |
4258 » » &responseCertID->hashAlgorithm.algorithm) == SECEqual) { | |
4259 » /* | |
4260 » * If the hash algorithms match then we can do a simple compare | |
4261 » * of the hash values themselves. | |
4262 » */ | |
4263 » if ((SECITEM_CompareItem(&requestCertID->issuerNameHash, | |
4264 » » » » &responseCertID->issuerNameHash) == SECEqual) | |
4265 » && (SECITEM_CompareItem(&requestCertID->issuerKeyHash, | |
4266 » » » » &responseCertID->issuerKeyHash) == SECEqual)) { | |
4267 » match = PR_TRUE; | |
4268 » } | |
4269 » goto done; | |
4270 } | |
4271 | |
4272 hashAlg = SECOID_FindOIDTag(&responseCertID->hashAlgorithm.algorithm); | |
4273 switch (hashAlg) { | |
4274 case SEC_OID_SHA1: | 3858 case SEC_OID_SHA1: |
4275 » keyHash = &requestCertID->issuerSHA1KeyHash; | 3859 keyHash = &requestCertID->issuerSHA1KeyHash; |
4276 » nameHash = &requestCertID->issuerSHA1NameHash; | 3860 nameHash = &requestCertID->issuerSHA1NameHash; |
4277 » break; | 3861 break; |
4278 case SEC_OID_MD5: | 3862 case SEC_OID_MD5: |
4279 » keyHash = &requestCertID->issuerMD5KeyHash; | 3863 keyHash = &requestCertID->issuerMD5KeyHash; |
4280 » nameHash = &requestCertID->issuerMD5NameHash; | 3864 nameHash = &requestCertID->issuerMD5NameHash; |
4281 » break; | 3865 break; |
4282 case SEC_OID_MD2: | 3866 case SEC_OID_MD2: |
4283 » keyHash = &requestCertID->issuerMD2KeyHash; | 3867 keyHash = &requestCertID->issuerMD2KeyHash; |
4284 » nameHash = &requestCertID->issuerMD2NameHash; | 3868 nameHash = &requestCertID->issuerMD2NameHash; |
4285 » break; | 3869 break; |
4286 default: | 3870 default: |
4287 » PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); | 3871 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
4288 » return PR_FALSE; | 3872 return PR_FALSE; |
4289 } | 3873 } |
4290 | 3874 |
4291 if ((keyHash != NULL) | 3875 if ((keyHash != NULL) && |
4292 » && (SECITEM_CompareItem(nameHash, | 3876 (SECITEM_CompareItem(nameHash, &responseCertID->issuerNameHash) == |
4293 » » » » &responseCertID->issuerNameHash) == SECEqual) | 3877 SECEqual) && |
4294 » && (SECITEM_CompareItem(keyHash, | 3878 (SECITEM_CompareItem(keyHash, &responseCertID->issuerKeyHash) == |
4295 » » » » &responseCertID->issuerKeyHash) == SECEqual)) { | 3879 SECEqual)) { |
4296 » match = PR_TRUE; | 3880 match = PR_TRUE; |
4297 } | 3881 } |
4298 | 3882 |
4299 done: | 3883 done: |
4300 return match; | 3884 return match; |
4301 } | 3885 } |
4302 | 3886 |
4303 /* | 3887 /* |
4304 * Find the single response for the cert specified by certID. | 3888 * Find the single response for the cert specified by certID. |
4305 * No copying is done; this just returns a pointer to the appropriate | 3889 * No copying is done; this just returns a pointer to the appropriate |
4306 * response within responses, if it is found (and null otherwise). | 3890 * response within responses, if it is found (and null otherwise). |
4307 * This is fine, of course, since this function is internal-use only. | 3891 * This is fine, of course, since this function is internal-use only. |
4308 */ | 3892 */ |
4309 static CERTOCSPSingleResponse * | 3893 static CERTOCSPSingleResponse *ocsp_GetSingleResponseForCertID( |
4310 ocsp_GetSingleResponseForCertID(CERTOCSPSingleResponse **responses, | 3894 CERTOCSPSingleResponse **responses, CERTCertDBHandle *handle, |
4311 » » » » CERTCertDBHandle *handle, | 3895 CERTOCSPCertID *certID) { |
4312 » » » » CERTOCSPCertID *certID) | 3896 CERTOCSPSingleResponse *single; |
4313 { | 3897 int i; |
4314 CERTOCSPSingleResponse *single; | 3898 |
4315 int i; | 3899 if (responses == NULL) return NULL; |
4316 | 3900 |
4317 if (responses == NULL) | 3901 for (i = 0; responses[i] != NULL; i++) { |
4318 » return NULL; | 3902 single = responses[i]; |
4319 | 3903 if (ocsp_CertIDsMatch(certID, single->certID)) { |
4320 for (i = 0; responses[i] != NULL; i++) { | 3904 return single; |
4321 » single = responses[i]; | 3905 } |
4322 » if (ocsp_CertIDsMatch(certID, single->certID)) { | 3906 } |
4323 » return single; | 3907 |
4324 » } | 3908 /* |
4325 } | 3909 * The OCSP server should have included a response even if it knew |
| 3910 * nothing about the certificate in question. Since it did not, |
| 3911 * this will make it look as if it had. |
| 3912 * |
| 3913 * XXX Should we make this a separate error to notice the server's |
| 3914 * bad behavior? |
| 3915 */ |
| 3916 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); |
| 3917 return NULL; |
| 3918 } |
| 3919 |
| 3920 static ocspCheckingContext *ocsp_GetCheckingContext(CERTCertDBHandle *handle) { |
| 3921 CERTStatusConfig *statusConfig; |
| 3922 ocspCheckingContext *ocspcx = NULL; |
| 3923 |
| 3924 statusConfig = CERT_GetStatusConfig(handle); |
| 3925 if (statusConfig != NULL) { |
| 3926 ocspcx = statusConfig->statusContext; |
4326 | 3927 |
4327 /* | 3928 /* |
4328 * The OCSP server should have included a response even if it knew | 3929 * This is actually an internal error, because we should never |
4329 * nothing about the certificate in question. Since it did not, | 3930 * have a good statusConfig without a good statusContext, too. |
4330 * this will make it look as if it had. | 3931 * For lack of anything better, though, we just assert and use |
4331 *· | 3932 * the same error as if there were no statusConfig (set below). |
4332 * XXX Should we make this a separate error to notice the server's | |
4333 * bad behavior? | |
4334 */ | 3933 */ |
4335 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); | 3934 PORT_Assert(ocspcx != NULL); |
4336 return NULL; | 3935 } |
4337 } | 3936 |
4338 | 3937 if (ocspcx == NULL) PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); |
4339 static ocspCheckingContext * | 3938 |
4340 ocsp_GetCheckingContext(CERTCertDBHandle *handle) | 3939 return ocspcx; |
4341 { | |
4342 CERTStatusConfig *statusConfig; | |
4343 ocspCheckingContext *ocspcx = NULL; | |
4344 | |
4345 statusConfig = CERT_GetStatusConfig(handle); | |
4346 if (statusConfig != NULL) { | |
4347 » ocspcx = statusConfig->statusContext; | |
4348 | |
4349 » /* | |
4350 » * This is actually an internal error, because we should never | |
4351 » * have a good statusConfig without a good statusContext, too. | |
4352 » * For lack of anything better, though, we just assert and use | |
4353 » * the same error as if there were no statusConfig (set below). | |
4354 » */ | |
4355 » PORT_Assert(ocspcx != NULL); | |
4356 } | |
4357 | |
4358 if (ocspcx == NULL) | |
4359 » PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); | |
4360 | |
4361 return ocspcx; | |
4362 } | 3940 } |
4363 | 3941 |
4364 /* | 3942 /* |
4365 * Return cert reference if the given signerCert is the default responder for | 3943 * Return cert reference if the given signerCert is the default responder for |
4366 * the given certID. If not, or if any error, return NULL. | 3944 * the given certID. If not, or if any error, return NULL. |
4367 */ | 3945 */ |
4368 static CERTCertificate * | 3946 static CERTCertificate *ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, |
4369 ocsp_CertGetDefaultResponder(CERTCertDBHandle *handle, CERTOCSPCertID *certID) | 3947 CERTOCSPCertID *certID) { |
4370 { | 3948 ocspCheckingContext *ocspcx; |
4371 ocspCheckingContext *ocspcx; | 3949 |
4372 | 3950 ocspcx = ocsp_GetCheckingContext(handle); |
4373 ocspcx = ocsp_GetCheckingContext(handle); | 3951 if (ocspcx == NULL) goto loser; |
4374 if (ocspcx == NULL) | 3952 |
4375 » goto loser; | 3953 /* |
4376 | 3954 * Right now we have only one default responder. It applies to |
4377 /* | 3955 * all certs when it is used, so the check is simple and certID |
4378 * Right now we have only one default responder. It applies to | 3956 * has no bearing on the answer. Someday in the future we may |
4379 * all certs when it is used, so the check is simple and certID | 3957 * allow configuration of different responders for different |
4380 * has no bearing on the answer. Someday in the future we may | 3958 * issuers, and then we would have to use the issuer specified |
4381 * allow configuration of different responders for different | 3959 * in certID to determine if signerCert is the right one. |
4382 * issuers, and then we would have to use the issuer specified | 3960 */ |
4383 * in certID to determine if signerCert is the right one. | 3961 if (ocspcx->useDefaultResponder) { |
4384 */ | 3962 PORT_Assert(ocspcx->defaultResponderCert != NULL); |
4385 if (ocspcx->useDefaultResponder) { | 3963 return ocspcx->defaultResponderCert; |
4386 » PORT_Assert(ocspcx->defaultResponderCert != NULL); | 3964 } |
4387 » return ocspcx->defaultResponderCert; | |
4388 } | |
4389 | 3965 |
4390 loser: | 3966 loser: |
4391 return NULL; | 3967 return NULL; |
4392 } | 3968 } |
4393 | 3969 |
4394 /* | 3970 /* |
4395 * Return true if the cert is one of the default responders configured for | 3971 * Return true if the cert is one of the default responders configured for |
4396 * ocsp context. If not, or if any error, return false. | 3972 * ocsp context. If not, or if any error, return false. |
4397 */ | 3973 */ |
4398 PRBool | 3974 PRBool ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, |
4399 ocsp_CertIsOCSPDefaultResponder(CERTCertDBHandle *handle, CERTCertificate *cert) | 3975 CERTCertificate *cert) { |
4400 { | 3976 ocspCheckingContext *ocspcx; |
4401 ocspCheckingContext *ocspcx; | 3977 |
4402 | 3978 ocspcx = ocsp_GetCheckingContext(handle); |
4403 ocspcx = ocsp_GetCheckingContext(handle); | 3979 if (ocspcx == NULL) return PR_FALSE; |
4404 if (ocspcx == NULL) | 3980 |
4405 » return PR_FALSE; | 3981 /* |
4406 | 3982 * Right now we have only one default responder. It applies to |
4407 /* | 3983 * all certs when it is used, so the check is simple and certID |
4408 * Right now we have only one default responder. It applies to | 3984 * has no bearing on the answer. Someday in the future we may |
4409 * all certs when it is used, so the check is simple and certID | 3985 * allow configuration of different responders for different |
4410 * has no bearing on the answer. Someday in the future we may | 3986 * issuers, and then we would have to use the issuer specified |
4411 * allow configuration of different responders for different | 3987 * in certID to determine if signerCert is the right one. |
4412 * issuers, and then we would have to use the issuer specified | 3988 */ |
4413 * in certID to determine if signerCert is the right one. | 3989 if (ocspcx->useDefaultResponder && |
4414 */ | 3990 CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) { |
4415 if (ocspcx->useDefaultResponder && | 3991 return PR_TRUE; |
4416 CERT_CompareCerts(ocspcx->defaultResponderCert, cert)) { | 3992 } |
4417 » return PR_TRUE; | 3993 |
4418 } | 3994 return PR_FALSE; |
4419 | |
4420 return PR_FALSE; | |
4421 } | 3995 } |
4422 | 3996 |
4423 /* | 3997 /* |
4424 * Check that the given signer certificate is authorized to sign status | 3998 * Check that the given signer certificate is authorized to sign status |
4425 * information for the given certID. Return true if it is, false if not | 3999 * information for the given certID. Return true if it is, false if not |
4426 * (or if there is any error along the way). If false is returned because | 4000 * (or if there is any error along the way). If false is returned because |
4427 * the signer is not authorized, the following error will be set: | 4001 * the signer is not authorized, the following error will be set: |
4428 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | 4002 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE |
4429 * Other errors are low-level problems (no memory, bad database, etc.). | 4003 * Other errors are low-level problems (no memory, bad database, etc.). |
4430 * | 4004 * |
4431 * There are three ways to be authorized. In the order in which we check, | 4005 * There are three ways to be authorized. In the order in which we check, |
4432 * using the terms used in the OCSP spec, the signer must be one of: | 4006 * using the terms used in the OCSP spec, the signer must be one of: |
4433 * 1. A "trusted responder" -- it matches a local configuration | 4007 * 1. A "trusted responder" -- it matches a local configuration |
4434 * of OCSP signing authority for the certificate in question. | 4008 * of OCSP signing authority for the certificate in question. |
4435 * 2. The CA who issued the certificate in question. | 4009 * 2. The CA who issued the certificate in question. |
4436 * 3. A "CA designated responder", aka an "authorized responder" -- it | 4010 * 3. A "CA designated responder", aka an "authorized responder" -- it |
4437 * must be represented by a special cert issued by the CA who issued | 4011 * must be represented by a special cert issued by the CA who issued |
4438 * the certificate in question. | 4012 * the certificate in question. |
4439 */ | 4013 */ |
4440 static PRBool | 4014 static PRBool ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, |
4441 ocsp_AuthorizedResponderForCertID(CERTCertDBHandle *handle, | 4015 CERTCertificate *signerCert, |
4442 » » » » CERTCertificate *signerCert, | 4016 CERTOCSPCertID *certID, |
4443 » » » » CERTOCSPCertID *certID, | 4017 PRTime thisUpdate) { |
4444 » » » » PRTime thisUpdate) | 4018 CERTCertificate *issuerCert = NULL, *defRespCert; |
4445 { | 4019 SECItem *keyHash = NULL; |
4446 CERTCertificate *issuerCert = NULL, *defRespCert; | 4020 SECItem *nameHash = NULL; |
4447 SECItem *keyHash = NULL; | 4021 SECOidTag hashAlg; |
4448 SECItem *nameHash = NULL; | 4022 PRBool keyHashEQ = PR_FALSE, nameHashEQ = PR_FALSE; |
4449 SECOidTag hashAlg; | |
4450 PRBool keyHashEQ = PR_FALSE, nameHashEQ = PR_FALSE; | |
4451 | 4023 |
4452 /* | 4024 /* |
4453 * Check first for a trusted responder, which overrides everything else. | 4025 * Check first for a trusted responder, which overrides everything else. |
4454 */ | 4026 */ |
4455 if ((defRespCert = ocsp_CertGetDefaultResponder(handle, certID)) && | 4027 if ((defRespCert = ocsp_CertGetDefaultResponder(handle, certID)) && |
4456 CERT_CompareCerts(defRespCert, signerCert)) { | 4028 CERT_CompareCerts(defRespCert, signerCert)) { |
4457 return PR_TRUE; | 4029 return PR_TRUE; |
| 4030 } |
| 4031 |
| 4032 /* |
| 4033 * In the other two cases, we need to do an issuer comparison. |
| 4034 * How we do it depends on whether the signer certificate has the |
| 4035 * special extension (for a designated responder) or not. |
| 4036 * |
| 4037 * First, lets check if signer of the response is the actual issuer |
| 4038 * of the cert. For that we will use signer cert key hash and cert subj |
| 4039 * name hash and will compare them with already calculated issuer key |
| 4040 * hash and issuer name hash. The hash algorithm is picked from response |
| 4041 * certID hash to avoid second hash calculation. |
| 4042 */ |
| 4043 |
| 4044 hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm); |
| 4045 |
| 4046 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL); |
| 4047 if (keyHash != NULL) { |
| 4048 |
| 4049 keyHashEQ = |
| 4050 (SECITEM_CompareItem(keyHash, &certID->issuerKeyHash) == SECEqual); |
| 4051 SECITEM_FreeItem(keyHash, PR_TRUE); |
| 4052 } |
| 4053 if (keyHashEQ && |
| 4054 (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert, hashAlg, NULL))) { |
| 4055 nameHashEQ = |
| 4056 (SECITEM_CompareItem(nameHash, &certID->issuerNameHash) == SECEqual); |
| 4057 |
| 4058 SECITEM_FreeItem(nameHash, PR_TRUE); |
| 4059 if (nameHashEQ) { |
| 4060 /* The issuer of the cert is the the signer of the response */ |
| 4061 return PR_TRUE; |
4458 } | 4062 } |
| 4063 } |
4459 | 4064 |
4460 /* | 4065 keyHashEQ = PR_FALSE; |
4461 * In the other two cases, we need to do an issuer comparison. | 4066 nameHashEQ = PR_FALSE; |
4462 * How we do it depends on whether the signer certificate has the | |
4463 * special extension (for a designated responder) or not. | |
4464 * | |
4465 * First, lets check if signer of the response is the actual issuer | |
4466 * of the cert. For that we will use signer cert key hash and cert subj | |
4467 * name hash and will compare them with already calculated issuer key | |
4468 * hash and issuer name hash. The hash algorithm is picked from response | |
4469 * certID hash to avoid second hash calculation. | |
4470 */ | |
4471 | 4067 |
4472 hashAlg = SECOID_FindOIDTag(&certID->hashAlgorithm.algorithm); | 4068 if (!ocsp_CertIsOCSPDesignatedResponder(signerCert)) { |
4473 | |
4474 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, signerCert, hashAlg, NULL); | |
4475 if (keyHash != NULL) { | |
4476 | |
4477 keyHashEQ = | |
4478 (SECITEM_CompareItem(keyHash, | |
4479 &certID->issuerKeyHash) == SECEqual); | |
4480 SECITEM_FreeItem(keyHash, PR_TRUE); | |
4481 } | |
4482 if (keyHashEQ && | |
4483 (nameHash = CERT_GetSubjectNameDigest(NULL, signerCert, | |
4484 hashAlg, NULL))) { | |
4485 nameHashEQ = | |
4486 (SECITEM_CompareItem(nameHash, | |
4487 &certID->issuerNameHash) == SECEqual); | |
4488 ············ | |
4489 SECITEM_FreeItem(nameHash, PR_TRUE); | |
4490 if (nameHashEQ) { | |
4491 /* The issuer of the cert is the the signer of the response */ | |
4492 return PR_TRUE; | |
4493 } | |
4494 } | |
4495 | |
4496 | |
4497 keyHashEQ = PR_FALSE; | |
4498 nameHashEQ = PR_FALSE; | |
4499 | |
4500 if (!ocsp_CertIsOCSPDesignatedResponder(signerCert)) { | |
4501 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | |
4502 return PR_FALSE; | |
4503 } | |
4504 | |
4505 /* | |
4506 * The signer is a designated responder. Its issuer must match | |
4507 * the issuer of the cert being checked. | |
4508 */ | |
4509 issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate, | |
4510 certUsageAnyCA); | |
4511 if (issuerCert == NULL) { | |
4512 /* | |
4513 * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone, | |
4514 * but the following will give slightly more information. | |
4515 * Once we have an error stack, things will be much better. | |
4516 */ | |
4517 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | |
4518 return PR_FALSE; | |
4519 } | |
4520 | |
4521 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL); | |
4522 nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL); | |
4523 | |
4524 CERT_DestroyCertificate(issuerCert); | |
4525 | |
4526 if (keyHash != NULL && nameHash != NULL) { | |
4527 keyHashEQ =· | |
4528 (SECITEM_CompareItem(keyHash, | |
4529 &certID->issuerKeyHash) == SECEqual); | |
4530 | |
4531 nameHashEQ = | |
4532 (SECITEM_CompareItem(nameHash, | |
4533 &certID->issuerNameHash) == SECEqual); | |
4534 } | |
4535 | |
4536 if (keyHash) { | |
4537 SECITEM_FreeItem(keyHash, PR_TRUE); | |
4538 } | |
4539 if (nameHash) { | |
4540 SECITEM_FreeItem(nameHash, PR_TRUE); | |
4541 } | |
4542 | |
4543 if (keyHashEQ && nameHashEQ) { | |
4544 return PR_TRUE; | |
4545 } | |
4546 | |
4547 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); | 4069 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); |
4548 return PR_FALSE; | 4070 return PR_FALSE; |
| 4071 } |
| 4072 |
| 4073 /* |
| 4074 * The signer is a designated responder. Its issuer must match |
| 4075 * the issuer of the cert being checked. |
| 4076 */ |
| 4077 issuerCert = CERT_FindCertIssuer(signerCert, thisUpdate, certUsageAnyCA); |
| 4078 if (issuerCert == NULL) { |
| 4079 /* |
| 4080 * We could leave the SEC_ERROR_UNKNOWN_ISSUER error alone, |
| 4081 * but the following will give slightly more information. |
| 4082 * Once we have an error stack, things will be much better. |
| 4083 */ |
| 4084 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); |
| 4085 return PR_FALSE; |
| 4086 } |
| 4087 |
| 4088 keyHash = CERT_GetSubjectPublicKeyDigest(NULL, issuerCert, hashAlg, NULL); |
| 4089 nameHash = CERT_GetSubjectNameDigest(NULL, issuerCert, hashAlg, NULL); |
| 4090 |
| 4091 CERT_DestroyCertificate(issuerCert); |
| 4092 |
| 4093 if (keyHash != NULL && nameHash != NULL) { |
| 4094 keyHashEQ = |
| 4095 (SECITEM_CompareItem(keyHash, &certID->issuerKeyHash) == SECEqual); |
| 4096 |
| 4097 nameHashEQ = |
| 4098 (SECITEM_CompareItem(nameHash, &certID->issuerNameHash) == SECEqual); |
| 4099 } |
| 4100 |
| 4101 if (keyHash) { |
| 4102 SECITEM_FreeItem(keyHash, PR_TRUE); |
| 4103 } |
| 4104 if (nameHash) { |
| 4105 SECITEM_FreeItem(nameHash, PR_TRUE); |
| 4106 } |
| 4107 |
| 4108 if (keyHashEQ && nameHashEQ) { |
| 4109 return PR_TRUE; |
| 4110 } |
| 4111 |
| 4112 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE); |
| 4113 return PR_FALSE; |
4549 } | 4114 } |
4550 | 4115 |
4551 /* | 4116 /* |
4552 * We need to check that a responder gives us "recent" information. | 4117 * We need to check that a responder gives us "recent" information. |
4553 * Since a responder can pre-package responses, we need to pick an amount | 4118 * Since a responder can pre-package responses, we need to pick an amount |
4554 * of time that is acceptable to us, and reject any response that is | 4119 * of time that is acceptable to us, and reject any response that is |
4555 * older than that. | 4120 * older than that. |
4556 * | 4121 * |
4557 * XXX This *should* be based on some configuration parameter, so that | 4122 * XXX This *should* be based on some configuration parameter, so that |
4558 * different usages could specify exactly what constitutes "sufficiently | 4123 * different usages could specify exactly what constitutes "sufficiently |
4559 * recent". But that is not going to happen right away. For now, we | 4124 * recent". But that is not going to happen right away. For now, we |
4560 * want something from within the last 24 hours. This macro defines that | 4125 * want something from within the last 24 hours. This macro defines that |
4561 * number in seconds. | 4126 * number in seconds. |
4562 */ | 4127 */ |
4563 #define OCSP_ALLOWABLE_LAPSE_SECONDS» (24L * 60L * 60L) | 4128 #define OCSP_ALLOWABLE_LAPSE_SECONDS (24L * 60L * 60L) |
4564 | 4129 |
4565 static PRBool | 4130 static PRBool ocsp_TimeIsRecent(PRTime checkTime) { |
4566 ocsp_TimeIsRecent(PRTime checkTime) | 4131 PRTime now = PR_Now(); |
4567 { | 4132 PRTime lapse, tmp; |
4568 PRTime now = PR_Now(); | |
4569 PRTime lapse, tmp; | |
4570 | 4133 |
4571 LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS); | 4134 LL_I2L(lapse, OCSP_ALLOWABLE_LAPSE_SECONDS); |
4572 LL_I2L(tmp, PR_USEC_PER_SEC); | 4135 LL_I2L(tmp, PR_USEC_PER_SEC); |
4573 LL_MUL(lapse, lapse, tmp);» » /* allowable lapse in microseconds */ | 4136 LL_MUL(lapse, lapse, tmp); /* allowable lapse in microseconds */ |
4574 | 4137 |
4575 LL_ADD(checkTime, checkTime, lapse); | 4138 LL_ADD(checkTime, checkTime, lapse); |
4576 if (LL_CMP(now, >, checkTime)) | 4139 if (LL_CMP(now, >, checkTime)) return PR_FALSE; |
4577 » return PR_FALSE; | |
4578 | 4140 |
4579 return PR_TRUE; | 4141 return PR_TRUE; |
4580 } | 4142 } |
4581 | 4143 |
4582 #define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes | 4144 #define OCSP_SLOP \ |
4583 in the future by default */ | 4145 (5L * 60L) /* OCSP responses are allowed to be 5 minutes \ |
| 4146 in the future by default */ |
4584 | 4147 |
4585 static PRUint32 ocspsloptime = OCSP_SLOP;» /* seconds */ | 4148 static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */ |
4586 | 4149 |
4587 /* | 4150 /* |
4588 * If an old response contains the revoked certificate status, we want | 4151 * If an old response contains the revoked certificate status, we want |
4589 * to return SECSuccess so the response will be used. | 4152 * to return SECSuccess so the response will be used. |
4590 */ | 4153 */ |
4591 static SECStatus | 4154 static SECStatus ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, |
4592 ocsp_HandleOldSingleResponse(CERTOCSPSingleResponse *single, PRTime time) | 4155 PRTime time) { |
4593 { | 4156 SECStatus rv; |
4594 SECStatus rv; | 4157 ocspCertStatus *status = single->certStatus; |
4595 ocspCertStatus *status = single->certStatus; | 4158 if (status->certStatusType == ocspCertStatus_revoked) { |
4596 if (status->certStatusType == ocspCertStatus_revoked) { | 4159 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); |
4597 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); | 4160 if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE) { |
4598 if (rv != SECSuccess && | 4161 /* |
4599 PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE) { | 4162 * Return SECSuccess now. The subsequent ocsp_CertRevokedAfter |
4600 /* | 4163 * call in ocsp_CertHasGoodStatus will cause |
4601 * Return SECSuccess now. The subsequent ocsp_CertRevokedAfter | 4164 * ocsp_CertHasGoodStatus to fail with |
4602 * call in ocsp_CertHasGoodStatus will cause | 4165 * SEC_ERROR_REVOKED_CERTIFICATE. |
4603 * ocsp_CertHasGoodStatus to fail with | 4166 */ |
4604 * SEC_ERROR_REVOKED_CERTIFICATE. | 4167 return SECSuccess; |
4605 */ | |
4606 return SECSuccess; | |
4607 } | |
4608 | |
4609 } | 4168 } |
4610 PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE); | 4169 } |
4611 return SECFailure; | 4170 PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE); |
| 4171 return SECFailure; |
4612 } | 4172 } |
4613 | 4173 |
4614 /* | 4174 /* |
4615 * Check that this single response is okay. A return of SECSuccess means: | 4175 * Check that this single response is okay. A return of SECSuccess means: |
4616 * 1. The signer (represented by "signerCert") is authorized to give status | 4176 * 1. The signer (represented by "signerCert") is authorized to give status |
4617 * for the cert represented by the individual response in "single". | 4177 * for the cert represented by the individual response in "single". |
4618 * 2. The value of thisUpdate is earlier than now. | 4178 * 2. The value of thisUpdate is earlier than now. |
4619 * 3. The value of producedAt is later than or the same as thisUpdate. | 4179 * 3. The value of producedAt is later than or the same as thisUpdate. |
4620 * 4. If nextUpdate is given: | 4180 * 4. If nextUpdate is given: |
4621 * - The value of nextUpdate is later than now. | 4181 * - The value of nextUpdate is later than now. |
4622 * - The value of producedAt is earlier than nextUpdate. | 4182 * - The value of producedAt is earlier than nextUpdate. |
4623 * Else if no nextUpdate: | 4183 * Else if no nextUpdate: |
4624 * - The value of thisUpdate is fairly recent. | 4184 * - The value of thisUpdate is fairly recent. |
4625 * - The value of producedAt is fairly recent. | 4185 * - The value of producedAt is fairly recent. |
4626 * However we do not need to perform an explicit check for this last | 4186 * However we do not need to perform an explicit check for this last |
4627 * constraint because it is already guaranteed by checking that | 4187 * constraint because it is already guaranteed by checking that |
4628 * producedAt is later than thisUpdate and thisUpdate is recent. | 4188 * producedAt is later than thisUpdate and thisUpdate is recent. |
4629 * Oh, and any responder is "authorized" to say that a cert is unknown to it. | 4189 * Oh, and any responder is "authorized" to say that a cert is unknown to it. |
4630 * | 4190 * |
4631 * If any of those checks fail, SECFailure is returned and an error is set: | 4191 * If any of those checks fail, SECFailure is returned and an error is set: |
4632 * SEC_ERROR_OCSP_FUTURE_RESPONSE | 4192 * SEC_ERROR_OCSP_FUTURE_RESPONSE |
4633 * SEC_ERROR_OCSP_OLD_RESPONSE | 4193 * SEC_ERROR_OCSP_OLD_RESPONSE |
4634 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE | 4194 * SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE |
4635 * Other errors are low-level problems (no memory, bad database, etc.). | 4195 * Other errors are low-level problems (no memory, bad database, etc.). |
4636 */· | 4196 */ |
4637 static SECStatus | 4197 static SECStatus ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, |
4638 ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, | 4198 CERTCertDBHandle *handle, |
4639 » » » CERTCertDBHandle *handle, | 4199 CERTCertificate *signerCert, |
4640 » » » CERTCertificate *signerCert, | 4200 PRTime producedAt) { |
4641 » » » PRTime producedAt) | 4201 CERTOCSPCertID *certID = single->certID; |
4642 { | 4202 PRTime now, thisUpdate, nextUpdate, tmstamp, tmp; |
4643 CERTOCSPCertID *certID = single->certID; | 4203 SECStatus rv; |
4644 PRTime now, thisUpdate, nextUpdate, tmstamp, tmp; | 4204 |
4645 SECStatus rv; | 4205 OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n", |
4646 | 4206 ((single->nextUpdate) != 0))); |
4647 OCSP_TRACE(("OCSP ocsp_VerifySingleResponse, nextUpdate: %d\n",· | 4207 /* |
4648 ((single->nextUpdate) != 0))); | 4208 * If all the responder said was that the given cert was unknown to it, |
4649 /* | 4209 * that is a valid response. Not very interesting to us, of course, |
4650 * If all the responder said was that the given cert was unknown to it, | 4210 * but all this function is concerned with is validity of the response, |
4651 * that is a valid response. Not very interesting to us, of course, | 4211 * not the status of the cert. |
4652 * but all this function is concerned with is validity of the response, | 4212 */ |
4653 * not the status of the cert. | 4213 PORT_Assert(single->certStatus != NULL); |
4654 */ | 4214 if (single->certStatus->certStatusType == ocspCertStatus_unknown) |
4655 PORT_Assert(single->certStatus != NULL); | |
4656 if (single->certStatus->certStatusType == ocspCertStatus_unknown) | |
4657 » return SECSuccess; | |
4658 | |
4659 /* | |
4660 * We need to extract "thisUpdate" for use below and to pass along | |
4661 * to AuthorizedResponderForCertID in case it needs it for doing an | |
4662 * issuer look-up. | |
4663 */ | |
4664 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); | |
4665 if (rv != SECSuccess) | |
4666 » return rv; | |
4667 | |
4668 /* | |
4669 * First confirm that signerCert is authorized to give this status. | |
4670 */ | |
4671 if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID, | |
4672 » » » » » thisUpdate) != PR_TRUE) | |
4673 » return SECFailure; | |
4674 | |
4675 /* | |
4676 * Now check the time stuff, as described above. | |
4677 */ | |
4678 now = PR_Now(); | |
4679 /* allow slop time for future response */ | |
4680 LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */ | |
4681 LL_UI2L(tmp, PR_USEC_PER_SEC); | |
4682 LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */ | |
4683 LL_ADD(tmstamp, tmp, now); /* add current time to it */ | |
4684 | |
4685 if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { | |
4686 » PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); | |
4687 » return SECFailure; | |
4688 } | |
4689 if (single->nextUpdate != NULL) { | |
4690 » rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate); | |
4691 » if (rv != SECSuccess) | |
4692 » return rv; | |
4693 | |
4694 » LL_ADD(tmp, tmp, nextUpdate); | |
4695 » if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) | |
4696 » return ocsp_HandleOldSingleResponse(single, now); | |
4697 } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) { | |
4698 » return ocsp_HandleOldSingleResponse(single, now); | |
4699 } | |
4700 | |
4701 return SECSuccess; | 4215 return SECSuccess; |
4702 } | 4216 |
4703 | 4217 /* |
| 4218 * We need to extract "thisUpdate" for use below and to pass along |
| 4219 * to AuthorizedResponderForCertID in case it needs it for doing an |
| 4220 * issuer look-up. |
| 4221 */ |
| 4222 rv = DER_GeneralizedTimeToTime(&thisUpdate, &single->thisUpdate); |
| 4223 if (rv != SECSuccess) return rv; |
| 4224 |
| 4225 /* |
| 4226 * First confirm that signerCert is authorized to give this status. |
| 4227 */ |
| 4228 if (ocsp_AuthorizedResponderForCertID(handle, signerCert, certID, |
| 4229 thisUpdate) != PR_TRUE) |
| 4230 return SECFailure; |
| 4231 |
| 4232 /* |
| 4233 * Now check the time stuff, as described above. |
| 4234 */ |
| 4235 now = PR_Now(); |
| 4236 /* allow slop time for future response */ |
| 4237 LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */ |
| 4238 LL_UI2L(tmp, PR_USEC_PER_SEC); |
| 4239 LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */ |
| 4240 LL_ADD(tmstamp, tmp, now); /* add current time to it */ |
| 4241 |
| 4242 if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { |
| 4243 PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); |
| 4244 return SECFailure; |
| 4245 } |
| 4246 if (single->nextUpdate != NULL) { |
| 4247 rv = DER_GeneralizedTimeToTime(&nextUpdate, single->nextUpdate); |
| 4248 if (rv != SECSuccess) return rv; |
| 4249 |
| 4250 LL_ADD(tmp, tmp, nextUpdate); |
| 4251 if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) |
| 4252 return ocsp_HandleOldSingleResponse(single, now); |
| 4253 } else if (ocsp_TimeIsRecent(thisUpdate) != PR_TRUE) { |
| 4254 return ocsp_HandleOldSingleResponse(single, now); |
| 4255 } |
| 4256 |
| 4257 return SECSuccess; |
| 4258 } |
4704 | 4259 |
4705 /* | 4260 /* |
4706 * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation | 4261 * FUNCTION: CERT_GetOCSPAuthorityInfoAccessLocation |
4707 * Get the value of the URI of the OCSP responder for the given cert. | 4262 * Get the value of the URI of the OCSP responder for the given cert. |
4708 * This is found in the (optional) Authority Information Access extension | 4263 * This is found in the (optional) Authority Information Access extension |
4709 * in the cert. | 4264 * in the cert. |
4710 * INPUTS: | 4265 * INPUTS: |
4711 * CERTCertificate *cert | 4266 * CERTCertificate *cert |
4712 * The certificate being examined. | 4267 * The certificate being examined. |
4713 * RETURN: | 4268 * RETURN: |
4714 * char * | 4269 * char * |
4715 * A copy of the URI for the OCSP method, if found. If either the | 4270 * A copy of the URI for the OCSP method, if found. If either the |
4716 * extension is not present or it does not contain an entry for OCSP, | 4271 * extension is not present or it does not contain an entry for OCSP, |
4717 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned. | 4272 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION will be set and a NULL returned. |
4718 * Any other error will also result in a NULL being returned. | 4273 * Any other error will also result in a NULL being returned. |
4719 * | 4274 * |
4720 * This result should be freed (via PORT_Free) when no longer in use. | 4275 * This result should be freed (via PORT_Free) when no longer in use. |
4721 */ | 4276 */ |
4722 char * | 4277 char *CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) { |
4723 CERT_GetOCSPAuthorityInfoAccessLocation(const CERTCertificate *cert) | 4278 CERTGeneralName *locname = NULL; |
4724 { | 4279 SECItem *location = NULL; |
4725 CERTGeneralName *locname = NULL; | 4280 SECItem *encodedAuthInfoAccess = NULL; |
4726 SECItem *location = NULL; | 4281 CERTAuthInfoAccess **authInfoAccess = NULL; |
4727 SECItem *encodedAuthInfoAccess = NULL; | 4282 char *locURI = NULL; |
4728 CERTAuthInfoAccess **authInfoAccess = NULL; | 4283 PLArenaPool *arena = NULL; |
4729 char *locURI = NULL; | 4284 SECStatus rv; |
4730 PLArenaPool *arena = NULL; | 4285 int i; |
4731 SECStatus rv; | 4286 |
4732 int i; | 4287 /* |
4733 | 4288 * Allocate this one from the heap because it will get filled in |
| 4289 * by CERT_FindCertExtension which will also allocate from the heap, |
| 4290 * and we can free the entire thing on our way out. |
| 4291 */ |
| 4292 encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0); |
| 4293 if (encodedAuthInfoAccess == NULL) goto loser; |
| 4294 |
| 4295 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, |
| 4296 encodedAuthInfoAccess); |
| 4297 if (rv == SECFailure) { |
| 4298 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); |
| 4299 goto loser; |
| 4300 } |
| 4301 |
| 4302 /* |
| 4303 * The rest of the things allocated in the routine will come out of |
| 4304 * this arena, which is temporary just for us to decode and get at the |
| 4305 * AIA extension. The whole thing will be destroyed on our way out, |
| 4306 * after we have copied the location string (url) itself (if found). |
| 4307 */ |
| 4308 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| 4309 if (arena == NULL) goto loser; |
| 4310 |
| 4311 authInfoAccess = |
| 4312 CERT_DecodeAuthInfoAccessExtension(arena, encodedAuthInfoAccess); |
| 4313 if (authInfoAccess == NULL) goto loser; |
| 4314 |
| 4315 for (i = 0; authInfoAccess[i] != NULL; i++) { |
| 4316 if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP) |
| 4317 locname = authInfoAccess[i]->location; |
| 4318 } |
| 4319 |
| 4320 /* |
| 4321 * If we found an AIA extension, but it did not include an OCSP method, |
| 4322 * that should look to our caller as if we did not find the extension |
| 4323 * at all, because it is only an OCSP method that we care about. |
| 4324 * So set the same error that would be set if the AIA extension was |
| 4325 * not there at all. |
| 4326 */ |
| 4327 if (locname == NULL) { |
| 4328 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); |
| 4329 goto loser; |
| 4330 } |
| 4331 |
| 4332 /* |
| 4333 * The following is just a pointer back into locname (i.e. not a copy); |
| 4334 * thus it should not be freed. |
| 4335 */ |
| 4336 location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE); |
| 4337 if (location == NULL) { |
4734 /* | 4338 /* |
4735 * Allocate this one from the heap because it will get filled in | 4339 * XXX Appears that CERT_GetGeneralNameByType does not set an |
4736 * by CERT_FindCertExtension which will also allocate from the heap, | 4340 * error if there is no name by that type. For lack of anything |
4737 * and we can free the entire thing on our way out. | 4341 * better, act as if the extension was not found. In the future |
| 4342 * this should probably be something more like the extension was |
| 4343 * badly formed. |
4738 */ | 4344 */ |
4739 encodedAuthInfoAccess = SECITEM_AllocItem(NULL, NULL, 0); | 4345 PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); |
4740 if (encodedAuthInfoAccess == NULL) | 4346 goto loser; |
4741 » goto loser; | 4347 } |
4742 | 4348 |
4743 rv = CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, | 4349 /* |
4744 » » » » encodedAuthInfoAccess); | 4350 * That location is really a string, but it has a specified length |
4745 if (rv == SECFailure) { | 4351 * without a null-terminator. We need a real string that does have |
4746 » PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | 4352 * a null-terminator, and we need a copy of it anyway to return to |
4747 » goto loser; | 4353 * our caller -- so allocate and copy. |
4748 } | 4354 */ |
4749 | 4355 locURI = PORT_Alloc(location->len + 1); |
4750 /* | 4356 if (locURI == NULL) { |
4751 * The rest of the things allocated in the routine will come out of | 4357 goto loser; |
4752 * this arena, which is temporary just for us to decode and get at the | 4358 } |
4753 * AIA extension. The whole thing will be destroyed on our way out, | 4359 PORT_Memcpy(locURI, location->data, location->len); |
4754 * after we have copied the location string (url) itself (if found). | 4360 locURI[location->len] = '\0'; |
4755 */ | |
4756 arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); | |
4757 if (arena == NULL) | |
4758 » goto loser; | |
4759 | |
4760 authInfoAccess = CERT_DecodeAuthInfoAccessExtension(arena, | |
4761 » » » » » » » encodedAuthInfoAccess); | |
4762 if (authInfoAccess == NULL) | |
4763 » goto loser; | |
4764 | |
4765 for (i = 0; authInfoAccess[i] != NULL; i++) { | |
4766 » if (SECOID_FindOIDTag(&authInfoAccess[i]->method) == SEC_OID_PKIX_OCSP) | |
4767 » locname = authInfoAccess[i]->location; | |
4768 } | |
4769 | |
4770 /* | |
4771 * If we found an AIA extension, but it did not include an OCSP method, | |
4772 * that should look to our caller as if we did not find the extension | |
4773 * at all, because it is only an OCSP method that we care about. | |
4774 * So set the same error that would be set if the AIA extension was | |
4775 * not there at all. | |
4776 */ | |
4777 if (locname == NULL) { | |
4778 » PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
4779 » goto loser; | |
4780 } | |
4781 | |
4782 /* | |
4783 * The following is just a pointer back into locname (i.e. not a copy); | |
4784 * thus it should not be freed. | |
4785 */ | |
4786 location = CERT_GetGeneralNameByType(locname, certURI, PR_FALSE); | |
4787 if (location == NULL) { | |
4788 » /* | |
4789 » * XXX Appears that CERT_GetGeneralNameByType does not set an | |
4790 » * error if there is no name by that type. For lack of anything | |
4791 » * better, act as if the extension was not found. In the future | |
4792 » * this should probably be something more like the extension was | |
4793 » * badly formed. | |
4794 » */ | |
4795 » PORT_SetError(SEC_ERROR_CERT_BAD_ACCESS_LOCATION); | |
4796 » goto loser; | |
4797 } | |
4798 | |
4799 /* | |
4800 * That location is really a string, but it has a specified length | |
4801 * without a null-terminator. We need a real string that does have | |
4802 * a null-terminator, and we need a copy of it anyway to return to | |
4803 * our caller -- so allocate and copy. | |
4804 */ | |
4805 locURI = PORT_Alloc(location->len + 1); | |
4806 if (locURI == NULL) { | |
4807 » goto loser; | |
4808 } | |
4809 PORT_Memcpy(locURI, location->data, location->len); | |
4810 locURI[location->len] = '\0'; | |
4811 | 4361 |
4812 loser: | 4362 loser: |
4813 if (arena != NULL) | 4363 if (arena != NULL) PORT_FreeArena(arena, PR_FALSE); |
4814 » PORT_FreeArena(arena, PR_FALSE); | 4364 |
4815 | 4365 if (encodedAuthInfoAccess != NULL) |
4816 if (encodedAuthInfoAccess != NULL) | 4366 SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); |
4817 » SECITEM_FreeItem(encodedAuthInfoAccess, PR_TRUE); | 4367 |
4818 | 4368 return locURI; |
4819 return locURI; | 4369 } |
4820 } | |
4821 | |
4822 | 4370 |
4823 /* | 4371 /* |
4824 * Figure out where we should go to find out the status of the given cert | 4372 * Figure out where we should go to find out the status of the given cert |
4825 * via OCSP. If allowed to use a default responder uri and a default | 4373 * via OCSP. If allowed to use a default responder uri and a default |
4826 * responder is set up, then that is our answer. | 4374 * responder is set up, then that is our answer. |
4827 * If not, see if the certificate has an Authority Information Access (AIA) | 4375 * If not, see if the certificate has an Authority Information Access (AIA) |
4828 * extension for OCSP, and return the value of that. Otherwise return NULL. | 4376 * extension for OCSP, and return the value of that. Otherwise return NULL. |
4829 * We also let our caller know whether or not the responder chosen was | 4377 * We also let our caller know whether or not the responder chosen was |
4830 * a default responder or not through the output variable isDefault; | 4378 * a default responder or not through the output variable isDefault; |
4831 * its value has no meaning unless a good (non-null) value is returned | 4379 * its value has no meaning unless a good (non-null) value is returned |
4832 * for the location. | 4380 * for the location. |
4833 * | 4381 * |
4834 * The result needs to be freed (PORT_Free) when no longer in use. | 4382 * The result needs to be freed (PORT_Free) when no longer in use. |
4835 */ | 4383 */ |
4836 char * | 4384 char *ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, |
4837 ocsp_GetResponderLocation(CERTCertDBHandle *handle, CERTCertificate *cert, | 4385 PRBool canUseDefault, PRBool *isDefault) { |
4838 » » » PRBool canUseDefault, PRBool *isDefault) | 4386 ocspCheckingContext *ocspcx = NULL; |
4839 { | 4387 char *ocspUrl = NULL; |
4840 ocspCheckingContext *ocspcx = NULL; | 4388 |
4841 char *ocspUrl = NULL; | 4389 if (canUseDefault) { |
4842 | 4390 ocspcx = ocsp_GetCheckingContext(handle); |
4843 if (canUseDefault) { | 4391 } |
4844 ocspcx = ocsp_GetCheckingContext(handle); | 4392 if (ocspcx != NULL && ocspcx->useDefaultResponder) { |
| 4393 /* |
| 4394 * A default responder wins out, if specified. |
| 4395 * XXX Someday this may be a more complicated determination based |
| 4396 * on the cert's issuer. (That is, we could have different default |
| 4397 * responders configured for different issuers.) |
| 4398 */ |
| 4399 PORT_Assert(ocspcx->defaultResponderURI != NULL); |
| 4400 *isDefault = PR_TRUE; |
| 4401 return (PORT_Strdup(ocspcx->defaultResponderURI)); |
| 4402 } |
| 4403 |
| 4404 /* |
| 4405 * No default responder set up, so go see if we can find an AIA |
| 4406 * extension that has a value for OCSP, and get the url from that. |
| 4407 */ |
| 4408 *isDefault = PR_FALSE; |
| 4409 ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert); |
| 4410 if (!ocspUrl) { |
| 4411 CERT_StringFromCertFcn altFcn; |
| 4412 |
| 4413 PR_EnterMonitor(OCSP_Global.monitor); |
| 4414 altFcn = OCSP_Global.alternateOCSPAIAFcn; |
| 4415 PR_ExitMonitor(OCSP_Global.monitor); |
| 4416 if (altFcn) { |
| 4417 ocspUrl = (*altFcn)(cert); |
| 4418 if (ocspUrl) *isDefault = PR_TRUE; |
4845 } | 4419 } |
4846 if (ocspcx != NULL && ocspcx->useDefaultResponder) { | 4420 } |
4847 » /* | 4421 return ocspUrl; |
4848 » * A default responder wins out, if specified. | |
4849 » * XXX Someday this may be a more complicated determination based | |
4850 » * on the cert's issuer. (That is, we could have different default | |
4851 » * responders configured for different issuers.) | |
4852 » */ | |
4853 » PORT_Assert(ocspcx->defaultResponderURI != NULL); | |
4854 » *isDefault = PR_TRUE; | |
4855 » return (PORT_Strdup(ocspcx->defaultResponderURI)); | |
4856 } | |
4857 | |
4858 /* | |
4859 * No default responder set up, so go see if we can find an AIA | |
4860 * extension that has a value for OCSP, and get the url from that. | |
4861 */ | |
4862 *isDefault = PR_FALSE; | |
4863 ocspUrl = CERT_GetOCSPAuthorityInfoAccessLocation(cert); | |
4864 if (!ocspUrl) { | |
4865 » CERT_StringFromCertFcn altFcn; | |
4866 | |
4867 » PR_EnterMonitor(OCSP_Global.monitor); | |
4868 » altFcn = OCSP_Global.alternateOCSPAIAFcn; | |
4869 » PR_ExitMonitor(OCSP_Global.monitor); | |
4870 » if (altFcn) { | |
4871 » ocspUrl = (*altFcn)(cert); | |
4872 » if (ocspUrl) | |
4873 » » *isDefault = PR_TRUE; | |
4874 » } | |
4875 } | |
4876 return ocspUrl; | |
4877 } | 4422 } |
4878 | 4423 |
4879 /* | 4424 /* |
4880 * Return SECSuccess if the cert was revoked *after* "time", | 4425 * Return SECSuccess if the cert was revoked *after* "time", |
4881 * SECFailure otherwise. | 4426 * SECFailure otherwise. |
4882 */ | 4427 */ |
4883 static SECStatus | 4428 static SECStatus ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, |
4884 ocsp_CertRevokedAfter(ocspRevokedInfo *revokedInfo, PRTime time) | 4429 PRTime time) { |
4885 { | 4430 PRTime revokedTime; |
4886 PRTime revokedTime; | 4431 SECStatus rv; |
4887 SECStatus rv; | 4432 |
4888 | 4433 rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime); |
4889 rv = DER_GeneralizedTimeToTime(&revokedTime, &revokedInfo->revocationTime); | 4434 if (rv != SECSuccess) return rv; |
4890 if (rv != SECSuccess) | 4435 |
4891 » return rv; | 4436 /* |
4892 | 4437 * Set the error even if we will return success; someone might care. |
4893 /* | 4438 */ |
4894 * Set the error even if we will return success; someone might care. | 4439 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); |
4895 */ | 4440 |
4896 PORT_SetError(SEC_ERROR_REVOKED_CERTIFICATE); | 4441 if (LL_CMP(revokedTime, >, time)) return SECSuccess; |
4897 | 4442 |
4898 if (LL_CMP(revokedTime, >, time)) | 4443 return SECFailure; |
4899 » return SECSuccess; | |
4900 | |
4901 return SECFailure; | |
4902 } | 4444 } |
4903 | 4445 |
4904 /* | 4446 /* |
4905 * See if the cert represented in the single response had a good status | 4447 * See if the cert represented in the single response had a good status |
4906 * at the specified time. | 4448 * at the specified time. |
4907 */ | 4449 */ |
4908 SECStatus | 4450 SECStatus ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time) { |
4909 ocsp_CertHasGoodStatus(ocspCertStatus *status, PRTime time) | 4451 SECStatus rv; |
4910 { | 4452 switch (status->certStatusType) { |
4911 SECStatus rv; | |
4912 switch (status->certStatusType) { | |
4913 case ocspCertStatus_good: | 4453 case ocspCertStatus_good: |
4914 rv = SECSuccess; | 4454 rv = SECSuccess; |
4915 break; | 4455 break; |
4916 case ocspCertStatus_revoked: | 4456 case ocspCertStatus_revoked: |
4917 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); | 4457 rv = ocsp_CertRevokedAfter(status->certStatusInfo.revokedInfo, time); |
4918 break; | 4458 break; |
4919 case ocspCertStatus_unknown: | 4459 case ocspCertStatus_unknown: |
4920 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); | 4460 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_CERT); |
4921 rv = SECFailure; | 4461 rv = SECFailure; |
4922 break; | 4462 break; |
4923 case ocspCertStatus_other: | 4463 case ocspCertStatus_other: |
4924 default: | 4464 default: |
4925 PORT_Assert(0); | 4465 PORT_Assert(0); |
4926 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); | 4466 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_RESPONSE); |
4927 rv = SECFailure; | 4467 rv = SECFailure; |
4928 break; | 4468 break; |
4929 } | 4469 } |
4930 return rv; | 4470 return rv; |
4931 } | 4471 } |
4932 | 4472 |
4933 static SECStatus | 4473 static SECStatus ocsp_SingleResponseCertHasGoodStatus( |
4934 ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single, | 4474 CERTOCSPSingleResponse *single, PRTime time) { |
4935 PRTime time) | 4475 return ocsp_CertHasGoodStatus(single->certStatus, time); |
4936 { | |
4937 return ocsp_CertHasGoodStatus(single->certStatus, time); | |
4938 } | 4476 } |
4939 | 4477 |
4940 /* SECFailure means the arguments were invalid. | 4478 /* SECFailure means the arguments were invalid. |
4941 * On SECSuccess, the out parameters contain the OCSP status. | 4479 * On SECSuccess, the out parameters contain the OCSP status. |
4942 * rvOcsp contains the overall result of the OCSP operation. | 4480 * rvOcsp contains the overall result of the OCSP operation. |
4943 * Depending on input parameter ignoreGlobalOcspFailureSetting, | 4481 * Depending on input parameter ignoreGlobalOcspFailureSetting, |
4944 * a soft failure might be converted into *rvOcsp=SECSuccess. | 4482 * a soft failure might be converted into *rvOcsp=SECSuccess. |
4945 * If the cached attempt to obtain OCSP information had resulted | 4483 * If the cached attempt to obtain OCSP information had resulted |
4946 * in a failure, missingResponseError shows the error code of | 4484 * in a failure, missingResponseError shows the error code of |
4947 * that failure. | 4485 * that failure. |
4948 * cacheFreshness is ocspMissing if no entry was found, | 4486 * cacheFreshness is ocspMissing if no entry was found, |
4949 * ocspFresh if a fresh entry was found, or | 4487 * ocspFresh if a fresh entry was found, or |
4950 * ocspStale if a stale entry was found. | 4488 * ocspStale if a stale entry was found. |
4951 */ | 4489 */ |
4952 SECStatus | 4490 SECStatus ocsp_GetCachedOCSPResponseStatus( |
4953 ocsp_GetCachedOCSPResponseStatus(CERTOCSPCertID *certID, | 4491 CERTOCSPCertID *certID, PRTime time, PRBool ignoreGlobalOcspFailureSetting, |
4954 PRTime time, | 4492 SECStatus *rvOcsp, SECErrorCodes *missingResponseError, |
4955 PRBool ignoreGlobalOcspFailureSetting, | 4493 OCSPFreshness *cacheFreshness) { |
4956 SECStatus *rvOcsp, | 4494 OCSPCacheItem *cacheItem = NULL; |
4957 SECErrorCodes *missingResponseError, | 4495 |
4958 OCSPFreshness *cacheFreshness) | 4496 if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) { |
4959 { | 4497 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
4960 OCSPCacheItem *cacheItem = NULL; | 4498 return SECFailure; |
4961 ·· | 4499 } |
4962 if (!certID || !missingResponseError || !rvOcsp || !cacheFreshness) { | 4500 *rvOcsp = SECFailure; |
4963 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 4501 *missingResponseError = 0; |
4964 return SECFailure; | 4502 *cacheFreshness = ocspMissing; |
| 4503 |
| 4504 PR_EnterMonitor(OCSP_Global.monitor); |
| 4505 cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID); |
| 4506 if (cacheItem) { |
| 4507 *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh : ocspStale; |
| 4508 /* having an arena means, we have a cached certStatus */ |
| 4509 if (cacheItem->certStatusArena) { |
| 4510 *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time); |
| 4511 if (*rvOcsp != SECSuccess) { |
| 4512 *missingResponseError = PORT_GetError(); |
| 4513 } |
| 4514 } else { |
| 4515 /* |
| 4516 * No status cached, the previous attempt failed. |
| 4517 * If OCSP is required, we never decide based on a failed attempt |
| 4518 * However, if OCSP is optional, a recent OCSP failure is |
| 4519 * an allowed good state. |
| 4520 */ |
| 4521 if (*cacheFreshness == ocspFresh && !ignoreGlobalOcspFailureSetting && |
| 4522 OCSP_Global.ocspFailureMode == |
| 4523 ocspMode_FailureIsNotAVerificationFailure) { |
| 4524 *rvOcsp = SECSuccess; |
| 4525 } |
| 4526 *missingResponseError = cacheItem->missingResponseError; |
4965 } | 4527 } |
4966 *rvOcsp = SECFailure; | 4528 } |
4967 *missingResponseError = 0; | 4529 PR_ExitMonitor(OCSP_Global.monitor); |
4968 *cacheFreshness = ocspMissing; | 4530 return SECSuccess; |
4969 ·· | 4531 } |
4970 PR_EnterMonitor(OCSP_Global.monitor); | 4532 |
4971 cacheItem = ocsp_FindCacheEntry(&OCSP_Global.cache, certID); | 4533 PRBool ocsp_FetchingFailureIsVerificationFailure(void) { |
4972 if (cacheItem) { | 4534 PRBool isFailure; |
4973 *cacheFreshness = ocsp_IsCacheItemFresh(cacheItem) ? ocspFresh | 4535 |
4974 : ocspStale; | 4536 PR_EnterMonitor(OCSP_Global.monitor); |
4975 /* having an arena means, we have a cached certStatus */ | 4537 isFailure = |
4976 if (cacheItem->certStatusArena) { | 4538 OCSP_Global.ocspFailureMode == ocspMode_FailureIsVerificationFailure; |
4977 *rvOcsp = ocsp_CertHasGoodStatus(&cacheItem->certStatus, time); | 4539 PR_ExitMonitor(OCSP_Global.monitor); |
4978 if (*rvOcsp != SECSuccess) { | 4540 return isFailure; |
4979 *missingResponseError = PORT_GetError(); | |
4980 } | |
4981 } else { | |
4982 /* | |
4983 * No status cached, the previous attempt failed. | |
4984 * If OCSP is required, we never decide based on a failed attempt· | |
4985 * However, if OCSP is optional, a recent OCSP failure is | |
4986 * an allowed good state. | |
4987 */ | |
4988 if (*cacheFreshness == ocspFresh && | |
4989 !ignoreGlobalOcspFailureSetting && | |
4990 OCSP_Global.ocspFailureMode ==· | |
4991 ocspMode_FailureIsNotAVerificationFailure) { | |
4992 *rvOcsp = SECSuccess; | |
4993 } | |
4994 *missingResponseError = cacheItem->missingResponseError; | |
4995 } | |
4996 } | |
4997 PR_ExitMonitor(OCSP_Global.monitor); | |
4998 return SECSuccess; | |
4999 } | |
5000 | |
5001 PRBool | |
5002 ocsp_FetchingFailureIsVerificationFailure(void) | |
5003 { | |
5004 PRBool isFailure; | |
5005 | |
5006 PR_EnterMonitor(OCSP_Global.monitor); | |
5007 isFailure = | |
5008 OCSP_Global.ocspFailureMode == ocspMode_FailureIsVerificationFailure; | |
5009 PR_ExitMonitor(OCSP_Global.monitor); | |
5010 return isFailure; | |
5011 } | 4541 } |
5012 | 4542 |
5013 /* | 4543 /* |
5014 * FUNCTION: CERT_CheckOCSPStatus | 4544 * FUNCTION: CERT_CheckOCSPStatus |
5015 * Checks the status of a certificate via OCSP. Will only check status for | 4545 * Checks the status of a certificate via OCSP. Will only check status for |
5016 * a certificate that has an AIA (Authority Information Access) extension | 4546 * a certificate that has an AIA (Authority Information Access) extension |
5017 * for OCSP *or* when a "default responder" is specified and enabled. | 4547 * for OCSP *or* when a "default responder" is specified and enabled. |
5018 * (If no AIA extension for OCSP and no default responder in place, the | 4548 * (If no AIA extension for OCSP and no default responder in place, the |
5019 * cert is considered to have a good status and SECSuccess is returned.) | 4549 * cert is considered to have a good status and SECSuccess is returned.) |
5020 * INPUTS: | 4550 * INPUTS: |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
5052 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION | 4582 * SEC_ERROR_CERT_BAD_ACCESS_LOCATION |
5053 * SEC_ERROR_INVALID_TIME | 4583 * SEC_ERROR_INVALID_TIME |
5054 * SEC_ERROR_REVOKED_CERTIFICATE | 4584 * SEC_ERROR_REVOKED_CERTIFICATE |
5055 * SEC_ERROR_UNKNOWN_ISSUER | 4585 * SEC_ERROR_UNKNOWN_ISSUER |
5056 * SEC_ERROR_UNKNOWN_SIGNER | 4586 * SEC_ERROR_UNKNOWN_SIGNER |
5057 * | 4587 * |
5058 * Other errors are any of the many possible failures in cert verification | 4588 * Other errors are any of the many possible failures in cert verification |
5059 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when | 4589 * (e.g. SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_UNTRUSTED_ISSUER) when |
5060 * verifying the signer's cert, or low-level problems (error allocating | 4590 * verifying the signer's cert, or low-level problems (error allocating |
5061 * memory, error performing ASN.1 decoding, etc.). | 4591 * memory, error performing ASN.1 decoding, etc.). |
5062 */···· | 4592 */ |
5063 SECStatus· | 4593 SECStatus CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, |
5064 CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert, | 4594 PRTime time, void *pwArg) { |
5065 » » PRTime time, void *pwArg) | 4595 CERTOCSPCertID *certID; |
5066 { | 4596 PRBool certIDWasConsumed = PR_FALSE; |
5067 CERTOCSPCertID *certID; | 4597 SECStatus rv; |
5068 PRBool certIDWasConsumed = PR_FALSE; | 4598 SECStatus rvOcsp; |
5069 SECStatus rv; | 4599 SECErrorCodes cachedErrorCode; |
5070 SECStatus rvOcsp; | 4600 OCSPFreshness cachedResponseFreshness; |
5071 SECErrorCodes cachedErrorCode; | |
5072 OCSPFreshness cachedResponseFreshness; | |
5073 ·· | |
5074 OCSP_TRACE_CERT(cert); | |
5075 OCSP_TRACE_TIME("## requested validity time:", time); | |
5076 ·· | |
5077 certID = CERT_CreateOCSPCertID(cert, time); | |
5078 if (!certID) | |
5079 return SECFailure; | |
5080 rv = ocsp_GetCachedOCSPResponseStatus( | |
5081 certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */ | |
5082 &rvOcsp, &cachedErrorCode, &cachedResponseFreshness); | |
5083 if (rv != SECSuccess) { | |
5084 CERT_DestroyOCSPCertID(certID); | |
5085 return SECFailure; | |
5086 } | |
5087 if (cachedResponseFreshness == ocspFresh) { | |
5088 CERT_DestroyOCSPCertID(certID); | |
5089 if (rvOcsp != SECSuccess) { | |
5090 PORT_SetError(cachedErrorCode); | |
5091 } | |
5092 return rvOcsp; | |
5093 } | |
5094 | 4601 |
5095 rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, | 4602 OCSP_TRACE_CERT(cert); |
5096 &certIDWasConsumed,· | 4603 OCSP_TRACE_TIME("## requested validity time:", time); |
5097 &rvOcsp); | 4604 |
5098 if (rv != SECSuccess) { | 4605 certID = CERT_CreateOCSPCertID(cert, time); |
5099 PRErrorCode err = PORT_GetError(); | 4606 if (!certID) return SECFailure; |
5100 if (ocsp_FetchingFailureIsVerificationFailure()) { | 4607 rv = ocsp_GetCachedOCSPResponseStatus( |
5101 PORT_SetError(err); | 4608 certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */ |
5102 rvOcsp = SECFailure; | 4609 &rvOcsp, &cachedErrorCode, &cachedResponseFreshness); |
5103 } else if (cachedResponseFreshness == ocspStale && | 4610 if (rv != SECSuccess) { |
5104 (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT || | 4611 CERT_DestroyOCSPCertID(certID); |
5105 cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) { | 4612 return SECFailure; |
5106 /* If we couldn't get a response for a certificate that the OCSP | 4613 } |
5107 * responder previously told us was bad, then assume it is still | 4614 if (cachedResponseFreshness == ocspFresh) { |
5108 * bad until we hear otherwise, as it is very unlikely that the | 4615 CERT_DestroyOCSPCertID(certID); |
5109 * certificate status has changed from "revoked" to "good" and it | 4616 if (rvOcsp != SECSuccess) { |
5110 * is also unlikely that the certificate status has changed from | 4617 PORT_SetError(cachedErrorCode); |
5111 * "unknown" to "good", except for some buggy OCSP responders. | |
5112 */ | |
5113 PORT_SetError(cachedErrorCode); | |
5114 rvOcsp = SECFailure; | |
5115 } else { | |
5116 rvOcsp = SECSuccess; | |
5117 } | |
5118 } | |
5119 if (!certIDWasConsumed) { | |
5120 CERT_DestroyOCSPCertID(certID); | |
5121 } | 4618 } |
5122 return rvOcsp; | 4619 return rvOcsp; |
| 4620 } |
| 4621 |
| 4622 rv = ocsp_GetOCSPStatusFromNetwork(handle, certID, cert, time, pwArg, |
| 4623 &certIDWasConsumed, &rvOcsp); |
| 4624 if (rv != SECSuccess) { |
| 4625 PRErrorCode err = PORT_GetError(); |
| 4626 if (ocsp_FetchingFailureIsVerificationFailure()) { |
| 4627 PORT_SetError(err); |
| 4628 rvOcsp = SECFailure; |
| 4629 } else if (cachedResponseFreshness == ocspStale && |
| 4630 (cachedErrorCode == SEC_ERROR_OCSP_UNKNOWN_CERT || |
| 4631 cachedErrorCode == SEC_ERROR_REVOKED_CERTIFICATE)) { |
| 4632 /* If we couldn't get a response for a certificate that the OCSP |
| 4633 * responder previously told us was bad, then assume it is still |
| 4634 * bad until we hear otherwise, as it is very unlikely that the |
| 4635 * certificate status has changed from "revoked" to "good" and it |
| 4636 * is also unlikely that the certificate status has changed from |
| 4637 * "unknown" to "good", except for some buggy OCSP responders. |
| 4638 */ |
| 4639 PORT_SetError(cachedErrorCode); |
| 4640 rvOcsp = SECFailure; |
| 4641 } else { |
| 4642 rvOcsp = SECSuccess; |
| 4643 } |
| 4644 } |
| 4645 if (!certIDWasConsumed) { |
| 4646 CERT_DestroyOCSPCertID(certID); |
| 4647 } |
| 4648 return rvOcsp; |
5123 } | 4649 } |
5124 | 4650 |
5125 /* | 4651 /* |
5126 * FUNCTION: CERT_CacheOCSPResponseFromSideChannel | 4652 * FUNCTION: CERT_CacheOCSPResponseFromSideChannel |
5127 * First, this function checks the OCSP cache to see if a good response | 4653 * First, this function checks the OCSP cache to see if a good response |
5128 * for the given certificate already exists. If it does, then the function | 4654 * for the given certificate already exists. If it does, then the function |
5129 * returns successfully. | 4655 * returns successfully. |
5130 * | 4656 * |
5131 * If not, then it validates that the given OCSP response is a valid, | 4657 * If not, then it validates that the given OCSP response is a valid, |
5132 * good response for the given certificate and inserts it into the | 4658 * good response for the given certificate and inserts it into the |
(...skipping 10 matching lines...) Expand all Loading... |
5143 * PRTime time | 4669 * PRTime time |
5144 * time for which status is to be determined | 4670 * time for which status is to be determined |
5145 * SECItem *encodedResponse | 4671 * SECItem *encodedResponse |
5146 * the DER encoded bytes of the OCSP response | 4672 * the DER encoded bytes of the OCSP response |
5147 * void *pwArg | 4673 * void *pwArg |
5148 * argument for password prompting, if needed | 4674 * argument for password prompting, if needed |
5149 * RETURN: | 4675 * RETURN: |
5150 * SECSuccess if the cert was found in the cache, or if the OCSP response was | 4676 * SECSuccess if the cert was found in the cache, or if the OCSP response was |
5151 * found to be valid and inserted into the cache. SECFailure otherwise. | 4677 * found to be valid and inserted into the cache. SECFailure otherwise. |
5152 */ | 4678 */ |
5153 SECStatus | 4679 SECStatus CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, |
5154 CERT_CacheOCSPResponseFromSideChannel(CERTCertDBHandle *handle, | 4680 CERTCertificate *cert, |
5155 » » » » CERTCertificate *cert, | 4681 PRTime time, |
5156 » » » » PRTime time, | 4682 const SECItem *encodedResponse, |
5157 » » » » const SECItem *encodedResponse, | 4683 void *pwArg) { |
5158 » » » » void *pwArg) | 4684 CERTOCSPCertID *certID = NULL; |
5159 { | 4685 PRBool certIDWasConsumed = PR_FALSE; |
5160 CERTOCSPCertID *certID = NULL; | 4686 SECStatus rv = SECFailure; |
5161 PRBool certIDWasConsumed = PR_FALSE; | 4687 SECStatus rvOcsp = SECFailure; |
5162 SECStatus rv = SECFailure; | 4688 SECErrorCodes dummy_error_code; /* we ignore this */ |
5163 SECStatus rvOcsp = SECFailure; | 4689 CERTOCSPResponse *decodedResponse = NULL; |
5164 SECErrorCodes dummy_error_code; /* we ignore this */ | 4690 CERTOCSPSingleResponse *singleResponse = NULL; |
5165 CERTOCSPResponse *decodedResponse = NULL; | 4691 OCSPFreshness freshness; |
5166 CERTOCSPSingleResponse *singleResponse = NULL; | 4692 |
5167 OCSPFreshness freshness; | 4693 /* The OCSP cache can be in three states regarding this certificate: |
5168 | 4694 * + Good (cached, timely, 'good' response, or revoked in the future) |
5169 /* The OCSP cache can be in three states regarding this certificate: | 4695 * + Revoked (cached, timely, but doesn't fit in the last category) |
5170 * + Good (cached, timely, 'good' response, or revoked in the future) | 4696 * + Miss (no knowledge) |
5171 * + Revoked (cached, timely, but doesn't fit in the last category) | 4697 * |
5172 * + Miss (no knowledge) | 4698 * Likewise, the side-channel information can be |
5173 * | 4699 * + Good (timely, 'good' response, or revoked in the future) |
5174 * Likewise, the side-channel information can be | 4700 * + Revoked (timely, but doesn't fit in the last category) |
5175 * + Good (timely, 'good' response, or revoked in the future) | 4701 * + Invalid (bad syntax, bad signature, not timely etc) |
5176 * + Revoked (timely, but doesn't fit in the last category) | 4702 * |
5177 * + Invalid (bad syntax, bad signature, not timely etc) | 4703 * The common case is that the cache result is Good and so is the |
5178 * | 4704 * side-channel information. We want to save processing time in this case |
5179 * The common case is that the cache result is Good and so is the | 4705 * so we say that any time we see a Good result from the cache we return |
5180 * side-channel information. We want to save processing time in this case | 4706 * early. |
5181 * so we say that any time we see a Good result from the cache we return | 4707 * |
5182 * early. | 4708 * Cache result |
5183 * | 4709 * | Good Revoked Miss |
5184 * Cache result | 4710 * ---+-------------------------------------------- |
5185 * | Good Revoked Miss | 4711 * G | noop Cache more Cache it |
5186 * ---+-------------------------------------------- | 4712 * S | recent result |
5187 * G | noop Cache more Cache it | 4713 * i | |
5188 * S | recent result | 4714 * d | |
5189 * i | | 4715 * e | |
5190 * d | | 4716 * R | noop Cache more Cache it |
5191 * e | | 4717 * C | recent result |
5192 * R | noop Cache more Cache it | 4718 * h | |
5193 * C | recent result | 4719 * a | |
5194 * h | | 4720 * n | |
5195 * a | | 4721 * n I | noop Noop Noop |
5196 * n | | 4722 * e | |
5197 * n I | noop Noop Noop | 4723 * l | |
5198 * e | | 4724 * |
5199 * l | | 4725 * When we fetch from the network we might choose to cache a negative |
5200 * | 4726 * result when the response is invalid. This saves us hammering, uselessly, |
5201 * When we fetch from the network we might choose to cache a negative | 4727 * at a broken responder. However, side channels are commonly attacker |
5202 * result when the response is invalid. This saves us hammering, uselessly, | 4728 * controlled and so we must not cache a negative result for an Invalid |
5203 * at a broken responder. However, side channels are commonly attacker | 4729 * side channel. |
5204 * controlled and so we must not cache a negative result for an Invalid | 4730 */ |
5205 * side channel. | 4731 |
5206 */ | 4732 if (!cert || !encodedResponse) { |
5207 | 4733 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
5208 if (!cert || !encodedResponse) { | 4734 return SECFailure; |
5209 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 4735 } |
5210 return SECFailure; | 4736 certID = CERT_CreateOCSPCertID(cert, time); |
5211 } | 4737 if (!certID) return SECFailure; |
5212 certID = CERT_CreateOCSPCertID(cert, time); | 4738 |
5213 if (!certID) | 4739 /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached |
5214 return SECFailure; | 4740 * error entry is not interpreted as being a 'Good' entry here. |
5215 | 4741 */ |
5216 /* We pass PR_TRUE for ignoreGlobalOcspFailureSetting so that a cached | 4742 rv = ocsp_GetCachedOCSPResponseStatus( |
5217 * error entry is not interpreted as being a 'Good' entry here. | 4743 certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */ |
5218 */ | 4744 &rvOcsp, &dummy_error_code, &freshness); |
5219 rv = ocsp_GetCachedOCSPResponseStatus( | 4745 if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) { |
5220 certID, time, PR_TRUE, /* ignoreGlobalOcspFailureSetting */ | 4746 /* The cached value is good. We don't want to waste time validating |
5221 &rvOcsp, &dummy_error_code, &freshness); | 4747 * this OCSP response. This is the first column in the table above. */ |
5222 if (rv == SECSuccess && rvOcsp == SECSuccess && freshness == ocspFresh) { | 4748 CERT_DestroyOCSPCertID(certID); |
5223 /* The cached value is good. We don't want to waste time validating | 4749 return rv; |
5224 * this OCSP response. This is the first column in the table above. */ | 4750 } |
5225 CERT_DestroyOCSPCertID(certID); | 4751 |
5226 return rv; | 4752 /* The logic for caching the more recent response is handled in |
5227 } | 4753 * ocsp_CacheSingleResponse. */ |
5228 | 4754 |
5229 /* The logic for caching the more recent response is handled in | 4755 rv = ocsp_GetDecodedVerifiedSingleResponseForID( |
5230 * ocsp_CacheSingleResponse. */ | 4756 handle, certID, cert, time, pwArg, encodedResponse, &decodedResponse, |
5231 | 4757 &singleResponse); |
5232 rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert, | 4758 if (rv == SECSuccess) { |
5233 » » » » » » time, pwArg, | 4759 rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); |
5234 » » » » » » encodedResponse, | 4760 /* Cache any valid singleResponse, regardless of status. */ |
5235 » » » » » » &decodedResponse, | 4761 ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed); |
5236 » » » » » » &singleResponse); | 4762 } |
5237 if (rv == SECSuccess) { | 4763 if (decodedResponse) { |
5238 » rvOcsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); | 4764 CERT_DestroyOCSPResponse(decodedResponse); |
5239 » /* Cache any valid singleResponse, regardless of status. */ | 4765 } |
5240 » ocsp_CacheSingleResponse(certID, singleResponse, &certIDWasConsumed); | 4766 if (!certIDWasConsumed) { |
5241 } | 4767 CERT_DestroyOCSPCertID(certID); |
5242 if (decodedResponse) { | 4768 } |
5243 » CERT_DestroyOCSPResponse(decodedResponse); | 4769 return rv == SECSuccess ? rvOcsp : rv; |
5244 } | |
5245 if (!certIDWasConsumed) { | |
5246 CERT_DestroyOCSPCertID(certID); | |
5247 } | |
5248 return rv == SECSuccess ? rvOcsp : rv; | |
5249 } | 4770 } |
5250 | 4771 |
5251 /* | 4772 /* |
5252 * Status in *certIDWasConsumed will always be correct, regardless of | 4773 * Status in *certIDWasConsumed will always be correct, regardless of |
5253 * return value. | 4774 * return value. |
5254 */ | 4775 */ |
5255 static SECStatus | 4776 static SECStatus ocsp_GetOCSPStatusFromNetwork( |
5256 ocsp_GetOCSPStatusFromNetwork(CERTCertDBHandle *handle,· | 4777 CERTCertDBHandle *handle, CERTOCSPCertID *certID, CERTCertificate *cert, |
5257 CERTOCSPCertID *certID,· | 4778 PRTime time, void *pwArg, PRBool *certIDWasConsumed, SECStatus *rv_ocsp) { |
5258 CERTCertificate *cert,· | 4779 char *location = NULL; |
5259 PRTime time, | 4780 PRBool locationIsDefault; |
5260 void *pwArg, | 4781 SECItem *encodedResponse = NULL; |
5261 PRBool *certIDWasConsumed, | 4782 CERTOCSPRequest *request = NULL; |
5262 SECStatus *rv_ocsp) | 4783 SECStatus rv = SECFailure; |
5263 { | 4784 |
5264 char *location = NULL; | 4785 CERTOCSPResponse *decodedResponse = NULL; |
5265 PRBool locationIsDefault; | 4786 CERTOCSPSingleResponse *singleResponse = NULL; |
5266 SECItem *encodedResponse = NULL; | 4787 enum { |
5267 CERTOCSPRequest *request = NULL; | 4788 stageGET, |
5268 SECStatus rv = SECFailure; | 4789 stagePOST |
5269 | 4790 } currentStage; |
5270 CERTOCSPResponse *decodedResponse = NULL; | 4791 PRBool retry = PR_FALSE; |
5271 CERTOCSPSingleResponse *singleResponse = NULL; | 4792 |
5272 enum { stageGET, stagePOST } currentStage; | 4793 if (!certIDWasConsumed || !rv_ocsp) { |
5273 PRBool retry = PR_FALSE; | 4794 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
5274 | 4795 return SECFailure; |
5275 if (!certIDWasConsumed || !rv_ocsp) { | 4796 } |
5276 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 4797 *certIDWasConsumed = PR_FALSE; |
5277 return SECFailure; | 4798 *rv_ocsp = SECFailure; |
5278 } | 4799 |
5279 *certIDWasConsumed = PR_FALSE; | 4800 if (!OCSP_Global.monitor) { |
| 4801 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
| 4802 return SECFailure; |
| 4803 } |
| 4804 PR_EnterMonitor(OCSP_Global.monitor); |
| 4805 if (OCSP_Global.forcePost) { |
| 4806 currentStage = stagePOST; |
| 4807 } else { |
| 4808 currentStage = stageGET; |
| 4809 } |
| 4810 PR_ExitMonitor(OCSP_Global.monitor); |
| 4811 |
| 4812 /* |
| 4813 * The first thing we need to do is find the location of the responder. |
| 4814 * This will be the value of the default responder (if enabled), else |
| 4815 * it will come out of the AIA extension in the cert (if present). |
| 4816 * If we have no such location, then this cert does not "deserve" to |
| 4817 * be checked -- that is, we consider it a success and just return. |
| 4818 * The way we tell that is by looking at the error number to see if |
| 4819 * the problem was no AIA extension was found; any other error was |
| 4820 * a true failure that we unfortunately have to treat as an overall |
| 4821 * failure here. |
| 4822 */ |
| 4823 location = |
| 4824 ocsp_GetResponderLocation(handle, cert, PR_TRUE, &locationIsDefault); |
| 4825 if (location == NULL) { |
| 4826 int err = PORT_GetError(); |
| 4827 if (err == SEC_ERROR_EXTENSION_NOT_FOUND || |
| 4828 err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { |
| 4829 PORT_SetError(0); |
| 4830 *rv_ocsp = SECSuccess; |
| 4831 return SECSuccess; |
| 4832 } |
| 4833 return SECFailure; |
| 4834 } |
| 4835 |
| 4836 /* |
| 4837 * XXX In the fullness of time, we will want/need to handle a |
| 4838 * certificate chain. This will be done either when a new parameter |
| 4839 * tells us to, or some configuration variable tells us to. In any |
| 4840 * case, handling it is complicated because we may need to send as |
| 4841 * many requests (and receive as many responses) as we have certs |
| 4842 * in the chain. If we are going to talk to a default responder, |
| 4843 * and we only support one default responder, we can put all of the |
| 4844 * certs together into one request. Otherwise, we must break them up |
| 4845 * into multiple requests. (Even if all of the requests will go to |
| 4846 * the same location, the signature on each response will be different, |
| 4847 * because each issuer is different. Carefully read the OCSP spec |
| 4848 * if you do not understand this.) |
| 4849 */ |
| 4850 |
| 4851 /* |
| 4852 * XXX If/when signing of requests is supported, that second NULL |
| 4853 * should be changed to be the signer certificate. Not sure if that |
| 4854 * should be passed into this function or retrieved via some operation |
| 4855 * on the handle/context. |
| 4856 */ |
| 4857 |
| 4858 do { |
| 4859 const char *method; |
| 4860 PRBool validResponseWithAccurateInfo = PR_FALSE; |
| 4861 retry = PR_FALSE; |
5280 *rv_ocsp = SECFailure; | 4862 *rv_ocsp = SECFailure; |
5281 | 4863 |
5282 if (!OCSP_Global.monitor) { | 4864 if (currentStage == stageGET) { |
5283 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 4865 method = "GET"; |
5284 return SECFailure; | 4866 } else { |
5285 } | 4867 PORT_Assert(currentStage == stagePOST); |
5286 PR_EnterMonitor(OCSP_Global.monitor); | 4868 method = "POST"; |
5287 if (OCSP_Global.forcePost) { | 4869 } |
| 4870 |
| 4871 encodedResponse = ocsp_GetEncodedOCSPResponseForSingleCert( |
| 4872 NULL, certID, cert, location, method, time, locationIsDefault, pwArg, |
| 4873 &request); |
| 4874 |
| 4875 if (encodedResponse) { |
| 4876 rv = ocsp_GetDecodedVerifiedSingleResponseForID( |
| 4877 handle, certID, cert, time, pwArg, encodedResponse, &decodedResponse, |
| 4878 &singleResponse); |
| 4879 if (rv == SECSuccess) { |
| 4880 switch (singleResponse->certStatus->certStatusType) { |
| 4881 case ocspCertStatus_good: |
| 4882 case ocspCertStatus_revoked: |
| 4883 validResponseWithAccurateInfo = PR_TRUE; |
| 4884 break; |
| 4885 default: |
| 4886 break; |
| 4887 } |
| 4888 *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse, time); |
| 4889 } |
| 4890 } |
| 4891 |
| 4892 if (currentStage == stageGET) { |
| 4893 /* only accept GET response if good or revoked */ |
| 4894 if (validResponseWithAccurateInfo) { |
| 4895 ocsp_CacheSingleResponse(certID, singleResponse, certIDWasConsumed); |
| 4896 } else { |
| 4897 retry = PR_TRUE; |
5288 currentStage = stagePOST; | 4898 currentStage = stagePOST; |
| 4899 } |
5289 } else { | 4900 } else { |
5290 currentStage = stageGET; | 4901 /* cache the POST respone, regardless of status */ |
5291 } | 4902 if (!singleResponse) { |
5292 PR_ExitMonitor(OCSP_Global.monitor); | 4903 cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed); |
5293 | 4904 } else { |
5294 /* | 4905 ocsp_CacheSingleResponse(certID, singleResponse, certIDWasConsumed); |
5295 * The first thing we need to do is find the location of the responder. | 4906 } |
5296 * This will be the value of the default responder (if enabled), else | 4907 } |
5297 * it will come out of the AIA extension in the cert (if present). | 4908 |
5298 * If we have no such location, then this cert does not "deserve" to | 4909 if (encodedResponse) { |
5299 * be checked -- that is, we consider it a success and just return. | 4910 SECITEM_FreeItem(encodedResponse, PR_TRUE); |
5300 * The way we tell that is by looking at the error number to see if | 4911 encodedResponse = NULL; |
5301 * the problem was no AIA extension was found; any other error was | 4912 } |
5302 * a true failure that we unfortunately have to treat as an overall | 4913 if (request) { |
5303 * failure here. | 4914 CERT_DestroyOCSPRequest(request); |
5304 */ | 4915 request = NULL; |
5305 location = ocsp_GetResponderLocation(handle, cert, PR_TRUE, | 4916 } |
5306 &locationIsDefault); | 4917 if (decodedResponse) { |
5307 if (location == NULL) { | 4918 CERT_DestroyOCSPResponse(decodedResponse); |
5308 int err = PORT_GetError(); | 4919 decodedResponse = NULL; |
5309 if (err == SEC_ERROR_EXTENSION_NOT_FOUND || | 4920 } |
5310 err == SEC_ERROR_CERT_BAD_ACCESS_LOCATION) { | 4921 singleResponse = NULL; |
5311 PORT_SetError(0); | 4922 |
5312 *rv_ocsp = SECSuccess; | 4923 } while (retry); |
5313 return SECSuccess; | 4924 |
5314 } | 4925 PORT_Free(location); |
5315 return SECFailure; | 4926 return rv; |
5316 } | |
5317 | |
5318 /* | |
5319 * XXX In the fullness of time, we will want/need to handle a | |
5320 * certificate chain. This will be done either when a new parameter | |
5321 * tells us to, or some configuration variable tells us to. In any | |
5322 * case, handling it is complicated because we may need to send as | |
5323 * many requests (and receive as many responses) as we have certs | |
5324 * in the chain. If we are going to talk to a default responder, | |
5325 * and we only support one default responder, we can put all of the | |
5326 * certs together into one request. Otherwise, we must break them up | |
5327 * into multiple requests. (Even if all of the requests will go to | |
5328 * the same location, the signature on each response will be different, | |
5329 * because each issuer is different. Carefully read the OCSP spec | |
5330 * if you do not understand this.) | |
5331 */ | |
5332 | |
5333 /* | |
5334 * XXX If/when signing of requests is supported, that second NULL | |
5335 * should be changed to be the signer certificate. Not sure if that | |
5336 * should be passed into this function or retrieved via some operation | |
5337 * on the handle/context. | |
5338 */ | |
5339 | |
5340 do { | |
5341 » const char *method; | |
5342 » PRBool validResponseWithAccurateInfo = PR_FALSE; | |
5343 » retry = PR_FALSE; | |
5344 » *rv_ocsp = SECFailure; | |
5345 | |
5346 » if (currentStage == stageGET) { | |
5347 » method = "GET"; | |
5348 » } else { | |
5349 » PORT_Assert(currentStage == stagePOST); | |
5350 » method = "POST"; | |
5351 » } | |
5352 | |
5353 » encodedResponse =· | |
5354 » ocsp_GetEncodedOCSPResponseForSingleCert(NULL, certID, cert, | |
5355 » » » » » » location, method, | |
5356 » » » » » » time, locationIsDefault, | |
5357 » » » » » » pwArg, &request); | |
5358 | |
5359 » if (encodedResponse) { | |
5360 » rv = ocsp_GetDecodedVerifiedSingleResponseForID(handle, certID, cert
, | |
5361 » » » » » » » time, pwArg, | |
5362 » » » » » » » encodedResponse, | |
5363 » » » » » » » &decodedResponse, | |
5364 » » » » » » » &singleResponse); | |
5365 » if (rv == SECSuccess) { | |
5366 » » switch (singleResponse->certStatus->certStatusType) { | |
5367 » » case ocspCertStatus_good: | |
5368 » » case ocspCertStatus_revoked: | |
5369 » » » validResponseWithAccurateInfo = PR_TRUE; | |
5370 » » » break; | |
5371 » » default: | |
5372 » » » break; | |
5373 » » } | |
5374 » » *rv_ocsp = ocsp_SingleResponseCertHasGoodStatus(singleResponse,
time); | |
5375 » } | |
5376 » } | |
5377 | |
5378 » if (currentStage == stageGET) { | |
5379 » /* only accept GET response if good or revoked */ | |
5380 » if (validResponseWithAccurateInfo) { | |
5381 » » ocsp_CacheSingleResponse(certID, singleResponse,· | |
5382 » » » » » certIDWasConsumed); | |
5383 » } else { | |
5384 » » retry = PR_TRUE; | |
5385 » » currentStage = stagePOST; | |
5386 » } | |
5387 » } else { | |
5388 » /* cache the POST respone, regardless of status */ | |
5389 » if (!singleResponse) { | |
5390 » » cert_RememberOCSPProcessingFailure(certID, certIDWasConsumed); | |
5391 » } else { | |
5392 » » ocsp_CacheSingleResponse(certID, singleResponse,· | |
5393 » » » » » certIDWasConsumed); | |
5394 » } | |
5395 » } | |
5396 | |
5397 » if (encodedResponse) { | |
5398 » SECITEM_FreeItem(encodedResponse, PR_TRUE); | |
5399 » encodedResponse = NULL; | |
5400 » } | |
5401 » if (request) { | |
5402 » CERT_DestroyOCSPRequest(request); | |
5403 » request = NULL; | |
5404 » } | |
5405 » if (decodedResponse) { | |
5406 » CERT_DestroyOCSPResponse(decodedResponse); | |
5407 » decodedResponse = NULL; | |
5408 » } | |
5409 » singleResponse = NULL; | |
5410 | |
5411 } while (retry); | |
5412 | |
5413 PORT_Free(location); | |
5414 return rv; | |
5415 } | 4927 } |
5416 | 4928 |
5417 /* | 4929 /* |
5418 * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID | 4930 * FUNCTION: ocsp_GetDecodedVerifiedSingleResponseForID |
5419 * This function decodes an OCSP response and checks for a valid response | 4931 * This function decodes an OCSP response and checks for a valid response |
5420 * concerning the given certificate. | 4932 * concerning the given certificate. |
5421 * | 4933 * |
5422 * Note: a 'valid' response is one that parses successfully, is not an OCSP | 4934 * Note: a 'valid' response is one that parses successfully, is not an OCSP |
5423 * exception (see RFC 2560 Section 2.3), is correctly signed and is current. | 4935 * exception (see RFC 2560 Section 2.3), is correctly signed and is current. |
5424 * A 'good' response is a valid response that attests that the certificate | 4936 * A 'good' response is a valid response that attests that the certificate |
(...skipping 15 matching lines...) Expand all Loading... |
5440 * CERTOCSPResponse **pDecodedResponse | 4952 * CERTOCSPResponse **pDecodedResponse |
5441 * (output) The caller must ALWAYS check for this output parameter, | 4953 * (output) The caller must ALWAYS check for this output parameter, |
5442 * and if it's non-null, must destroy it using CERT_DestroyOCSPResponse. | 4954 * and if it's non-null, must destroy it using CERT_DestroyOCSPResponse. |
5443 * CERTOCSPSingleResponse **pSingle | 4955 * CERTOCSPSingleResponse **pSingle |
5444 * (output) on success, this points to the single response that corresponds | 4956 * (output) on success, this points to the single response that corresponds |
5445 * to the certID parameter. Points to the inside of pDecodedResponse. | 4957 * to the certID parameter. Points to the inside of pDecodedResponse. |
5446 * It isn't a copy, don't free it. | 4958 * It isn't a copy, don't free it. |
5447 * RETURN: | 4959 * RETURN: |
5448 * SECSuccess iff the response is valid. | 4960 * SECSuccess iff the response is valid. |
5449 */ | 4961 */ |
5450 static SECStatus | 4962 static SECStatus ocsp_GetDecodedVerifiedSingleResponseForID( |
5451 ocsp_GetDecodedVerifiedSingleResponseForID(CERTCertDBHandle *handle, | 4963 CERTCertDBHandle *handle, CERTOCSPCertID *certID, CERTCertificate *cert, |
5452 » » » » » CERTOCSPCertID *certID, | 4964 PRTime time, void *pwArg, const SECItem *encodedResponse, |
5453 » » » » » CERTCertificate *cert, | 4965 CERTOCSPResponse **pDecodedResponse, CERTOCSPSingleResponse **pSingle) { |
5454 » » » » » PRTime time, | 4966 CERTCertificate *signerCert = NULL; |
5455 » » » » » void *pwArg, | 4967 CERTCertificate *issuerCert = NULL; |
5456 » » » » » const SECItem *encodedResponse, | 4968 SECStatus rv = SECFailure; |
5457 » » » » » CERTOCSPResponse **pDecodedResponse, | 4969 |
5458 » » » » » CERTOCSPSingleResponse **pSingle) | 4970 if (!pSingle || !pDecodedResponse) { |
5459 { | 4971 return SECFailure; |
5460 CERTCertificate *signerCert = NULL; | 4972 } |
5461 CERTCertificate *issuerCert = NULL; | 4973 *pSingle = NULL; |
5462 SECStatus rv = SECFailure; | 4974 *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse); |
5463 | 4975 if (!*pDecodedResponse) { |
5464 if (!pSingle || !pDecodedResponse) { | 4976 return SECFailure; |
5465 » return SECFailure; | 4977 } |
5466 } | 4978 |
5467 *pSingle = NULL; | 4979 /* |
5468 *pDecodedResponse = CERT_DecodeOCSPResponse(encodedResponse); | 4980 * Okay, we at least have a response that *looks* like a response! |
5469 if (!*pDecodedResponse) { | 4981 * Now see if the overall response status value is good or not. |
5470 » return SECFailure; | 4982 * If not, we set an error and give up. (It means that either the |
5471 } | 4983 * server had a problem, or it didn't like something about our |
5472 | 4984 * request. Either way there is nothing to do but give up.) |
5473 /* | 4985 * Otherwise, we continue to find the actual per-cert status |
5474 * Okay, we at least have a response that *looks* like a response! | 4986 * in the response. |
5475 * Now see if the overall response status value is good or not. | 4987 */ |
5476 * If not, we set an error and give up. (It means that either the | 4988 if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) { |
5477 * server had a problem, or it didn't like something about our | 4989 goto loser; |
5478 * request. Either way there is nothing to do but give up.) | 4990 } |
5479 * Otherwise, we continue to find the actual per-cert status | 4991 |
5480 * in the response. | 4992 /* |
5481 */ | 4993 * If we've made it this far, we expect a response with a good signature. |
5482 if (CERT_GetOCSPResponseStatus(*pDecodedResponse) != SECSuccess) { | 4994 * So, check for that. |
5483 » goto loser; | 4995 */ |
5484 } | 4996 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); |
5485 | 4997 rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg, |
5486 /* | 4998 &signerCert, issuerCert); |
5487 * If we've made it this far, we expect a response with a good signature. | 4999 if (rv != SECSuccess) { |
5488 * So, check for that. | 5000 goto loser; |
5489 */ | 5001 } |
5490 issuerCert = CERT_FindCertIssuer(cert, time, certUsageAnyCA); | 5002 |
5491 rv = CERT_VerifyOCSPResponseSignature(*pDecodedResponse, handle, pwArg, | 5003 PORT_Assert(signerCert != NULL); /* internal consistency check */ |
5492 &signerCert, issuerCert); | 5004 /* XXX probably should set error, return failure if signerCert is null */ |
5493 if (rv != SECSuccess) { | 5005 |
5494 » goto loser; | 5006 /* |
5495 } | 5007 * Again, we are only doing one request for one cert. |
5496 | 5008 * XXX When we handle cert chains, the following code will obviously |
5497 PORT_Assert(signerCert != NULL);» /* internal consistency check */ | 5009 * have to be modified, in coordation with the code above that will |
5498 /* XXX probably should set error, return failure if signerCert is null */ | 5010 * have to determine how to make multiple requests, etc. |
5499 | 5011 */ |
5500 /* | 5012 rv = ocsp_GetVerifiedSingleResponseForCertID( |
5501 * Again, we are only doing one request for one cert. | 5013 handle, *pDecodedResponse, certID, signerCert, time, pSingle); |
5502 * XXX When we handle cert chains, the following code will obviously | |
5503 * have to be modified, in coordation with the code above that will | |
5504 * have to determine how to make multiple requests, etc.· | |
5505 */ | |
5506 rv = ocsp_GetVerifiedSingleResponseForCertID(handle, *pDecodedResponse, cert
ID, | |
5507 signerCert, time, pSingle); | |
5508 loser: | 5014 loser: |
5509 if (issuerCert != NULL) | 5015 if (issuerCert != NULL) CERT_DestroyCertificate(issuerCert); |
5510 » CERT_DestroyCertificate(issuerCert); | 5016 if (signerCert != NULL) CERT_DestroyCertificate(signerCert); |
5511 if (signerCert != NULL) | 5017 return rv; |
5512 » CERT_DestroyCertificate(signerCert); | |
5513 return rv; | |
5514 } | 5018 } |
5515 | 5019 |
5516 /* | 5020 /* |
5517 * FUNCTION: ocsp_CacheSingleResponse | 5021 * FUNCTION: ocsp_CacheSingleResponse |
5518 * This function requires that the caller has checked that the response | 5022 * This function requires that the caller has checked that the response |
5519 * is valid and verified. | 5023 * is valid and verified. |
5520 * The (positive or negative) valid response will be used to update the cache. | 5024 * The (positive or negative) valid response will be used to update the cache. |
5521 * INPUTS: | 5025 * INPUTS: |
5522 * CERTOCSPCertID *certID | 5026 * CERTOCSPCertID *certID |
5523 * the cert ID corresponding to |cert| | 5027 * the cert ID corresponding to |cert| |
5524 * PRBool *certIDWasConsumed | 5028 * PRBool *certIDWasConsumed |
5525 * (output) on return, this is true iff |certID| was consumed by this | 5029 * (output) on return, this is true iff |certID| was consumed by this |
5526 * function. | 5030 * function. |
5527 */ | 5031 */ |
5528 void | 5032 void ocsp_CacheSingleResponse(CERTOCSPCertID *certID, |
5529 ocsp_CacheSingleResponse(CERTOCSPCertID *certID, | 5033 CERTOCSPSingleResponse *single, |
5530 » » » CERTOCSPSingleResponse *single, | 5034 PRBool *certIDWasConsumed) { |
5531 » » » PRBool *certIDWasConsumed) | 5035 if (single != NULL) { |
5532 { | |
5533 if (single != NULL) { | |
5534 » PR_EnterMonitor(OCSP_Global.monitor); | |
5535 » if (OCSP_Global.maxCacheEntries >= 0) { | |
5536 » ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, | |
5537 » » » » » certIDWasConsumed); | |
5538 » /* ignore cache update failures */ | |
5539 » } | |
5540 » PR_ExitMonitor(OCSP_Global.monitor); | |
5541 } | |
5542 } | |
5543 | |
5544 SECStatus | |
5545 ocsp_GetVerifiedSingleResponseForCertID(CERTCertDBHandle *handle,· | |
5546 CERTOCSPResponse *response,· | |
5547 CERTOCSPCertID *certID, | |
5548 CERTCertificate *signerCert, | |
5549 PRTime time, | |
5550 CERTOCSPSingleResponse· | |
5551 **pSingleResponse) | |
5552 { | |
5553 SECStatus rv; | |
5554 ocspResponseData *responseData; | |
5555 PRTime producedAt; | |
5556 CERTOCSPSingleResponse *single; | |
5557 | |
5558 /* | |
5559 * The ResponseData part is the real guts of the response. | |
5560 */ | |
5561 responseData = ocsp_GetResponseData(response, NULL); | |
5562 if (responseData == NULL) { | |
5563 rv = SECFailure; | |
5564 goto loser; | |
5565 } | |
5566 | |
5567 /* | |
5568 * There is one producedAt time for the entire response (and a separate | |
5569 * thisUpdate time for each individual single response). We need to | |
5570 * compare them, so get the overall time to pass into the check of each | |
5571 * single response. | |
5572 */ | |
5573 rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt); | |
5574 if (rv != SECSuccess) | |
5575 goto loser; | |
5576 | |
5577 single = ocsp_GetSingleResponseForCertID(responseData->responses, | |
5578 handle, certID); | |
5579 if (single == NULL) { | |
5580 rv = SECFailure; | |
5581 goto loser; | |
5582 } | |
5583 | |
5584 rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt); | |
5585 if (rv != SECSuccess) | |
5586 goto loser; | |
5587 *pSingleResponse = single; | |
5588 | |
5589 loser: | |
5590 return rv; | |
5591 } | |
5592 | |
5593 SECStatus | |
5594 CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle,· | |
5595 CERTOCSPResponse *response,· | |
5596 CERTOCSPCertID *certID, | |
5597 CERTCertificate *signerCert, | |
5598 PRTime time) | |
5599 { | |
5600 /* | |
5601 * We do not update the cache, because: | |
5602 * | |
5603 * CERT_GetOCSPStatusForCertID is an old exported API that was introduced | |
5604 * before the OCSP cache got implemented. | |
5605 * | |
5606 * The implementation of helper function cert_ProcessOCSPResponse | |
5607 * requires the ability to transfer ownership of the the given certID to | |
5608 * the cache. The external API doesn't allow us to prevent the caller from | |
5609 * destroying the certID. We don't have the original certificate available, | |
5610 * therefore we are unable to produce another certID object (that could· | |
5611 * be stored in the cache). | |
5612 * | |
5613 * Should we ever implement code to produce a deep copy of certID, | |
5614 * then this could be changed to allow updating the cache. | |
5615 * The duplication would have to be done in· | |
5616 * cert_ProcessOCSPResponse, if the out parameter to indicate | |
5617 * a transfer of ownership is NULL. | |
5618 */ | |
5619 return cert_ProcessOCSPResponse(handle, response, certID,· | |
5620 signerCert, time,· | |
5621 NULL, NULL); | |
5622 } | |
5623 | |
5624 /* | |
5625 * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID. | |
5626 */ | |
5627 SECStatus | |
5628 cert_ProcessOCSPResponse(CERTCertDBHandle *handle,· | |
5629 CERTOCSPResponse *response,· | |
5630 CERTOCSPCertID *certID, | |
5631 CERTCertificate *signerCert, | |
5632 PRTime time, | |
5633 PRBool *certIDWasConsumed, | |
5634 SECStatus *cacheUpdateStatus) | |
5635 { | |
5636 SECStatus rv; | |
5637 SECStatus rv_cache = SECSuccess; | |
5638 CERTOCSPSingleResponse *single = NULL; | |
5639 | |
5640 rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID,· | |
5641 signerCert, time, &single); | |
5642 if (rv == SECSuccess) { | |
5643 /* | |
5644 * Check whether the status says revoked, and if so· | |
5645 * how that compares to the time value passed into this routine. | |
5646 */ | |
5647 rv = ocsp_SingleResponseCertHasGoodStatus(single, time); | |
5648 } | |
5649 | |
5650 if (certIDWasConsumed) { | |
5651 /* | |
5652 * We don't have copy-of-certid implemented. In order to update· | |
5653 * the cache, the caller must supply an out variable· | |
5654 * certIDWasConsumed, allowing us to return ownership status. | |
5655 */ | |
5656 ·· | |
5657 PR_EnterMonitor(OCSP_Global.monitor); | |
5658 if (OCSP_Global.maxCacheEntries >= 0) { | |
5659 /* single == NULL means: remember response failure */ | |
5660 rv_cache =· | |
5661 ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, | |
5662 single, certIDWasConsumed); | |
5663 } | |
5664 PR_ExitMonitor(OCSP_Global.monitor); | |
5665 if (cacheUpdateStatus) { | |
5666 *cacheUpdateStatus = rv_cache; | |
5667 } | |
5668 } | |
5669 | |
5670 return rv; | |
5671 } | |
5672 | |
5673 SECStatus | |
5674 cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, | |
5675 PRBool *certIDWasConsumed) | |
5676 { | |
5677 SECStatus rv = SECSuccess; | |
5678 PR_EnterMonitor(OCSP_Global.monitor); | 5036 PR_EnterMonitor(OCSP_Global.monitor); |
5679 if (OCSP_Global.maxCacheEntries >= 0) { | 5037 if (OCSP_Global.maxCacheEntries >= 0) { |
5680 rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, | 5038 ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, single, |
5681 certIDWasConsumed); | 5039 certIDWasConsumed); |
| 5040 /* ignore cache update failures */ |
5682 } | 5041 } |
5683 PR_ExitMonitor(OCSP_Global.monitor); | 5042 PR_ExitMonitor(OCSP_Global.monitor); |
5684 return rv; | 5043 } |
| 5044 } |
| 5045 |
| 5046 SECStatus ocsp_GetVerifiedSingleResponseForCertID( |
| 5047 CERTCertDBHandle *handle, CERTOCSPResponse *response, |
| 5048 CERTOCSPCertID *certID, CERTCertificate *signerCert, PRTime time, |
| 5049 CERTOCSPSingleResponse **pSingleResponse) { |
| 5050 SECStatus rv; |
| 5051 ocspResponseData *responseData; |
| 5052 PRTime producedAt; |
| 5053 CERTOCSPSingleResponse *single; |
| 5054 |
| 5055 /* |
| 5056 * The ResponseData part is the real guts of the response. |
| 5057 */ |
| 5058 responseData = ocsp_GetResponseData(response, NULL); |
| 5059 if (responseData == NULL) { |
| 5060 rv = SECFailure; |
| 5061 goto loser; |
| 5062 } |
| 5063 |
| 5064 /* |
| 5065 * There is one producedAt time for the entire response (and a separate |
| 5066 * thisUpdate time for each individual single response). We need to |
| 5067 * compare them, so get the overall time to pass into the check of each |
| 5068 * single response. |
| 5069 */ |
| 5070 rv = DER_GeneralizedTimeToTime(&producedAt, &responseData->producedAt); |
| 5071 if (rv != SECSuccess) goto loser; |
| 5072 |
| 5073 single = |
| 5074 ocsp_GetSingleResponseForCertID(responseData->responses, handle, certID); |
| 5075 if (single == NULL) { |
| 5076 rv = SECFailure; |
| 5077 goto loser; |
| 5078 } |
| 5079 |
| 5080 rv = ocsp_VerifySingleResponse(single, handle, signerCert, producedAt); |
| 5081 if (rv != SECSuccess) goto loser; |
| 5082 *pSingleResponse = single; |
| 5083 |
| 5084 loser: |
| 5085 return rv; |
| 5086 } |
| 5087 |
| 5088 SECStatus CERT_GetOCSPStatusForCertID(CERTCertDBHandle *handle, |
| 5089 CERTOCSPResponse *response, |
| 5090 CERTOCSPCertID *certID, |
| 5091 CERTCertificate *signerCert, |
| 5092 PRTime time) { |
| 5093 /* |
| 5094 * We do not update the cache, because: |
| 5095 * |
| 5096 * CERT_GetOCSPStatusForCertID is an old exported API that was introduced |
| 5097 * before the OCSP cache got implemented. |
| 5098 * |
| 5099 * The implementation of helper function cert_ProcessOCSPResponse |
| 5100 * requires the ability to transfer ownership of the the given certID to |
| 5101 * the cache. The external API doesn't allow us to prevent the caller from |
| 5102 * destroying the certID. We don't have the original certificate available, |
| 5103 * therefore we are unable to produce another certID object (that could |
| 5104 * be stored in the cache). |
| 5105 * |
| 5106 * Should we ever implement code to produce a deep copy of certID, |
| 5107 * then this could be changed to allow updating the cache. |
| 5108 * The duplication would have to be done in |
| 5109 * cert_ProcessOCSPResponse, if the out parameter to indicate |
| 5110 * a transfer of ownership is NULL. |
| 5111 */ |
| 5112 return cert_ProcessOCSPResponse(handle, response, certID, signerCert, time, |
| 5113 NULL, NULL); |
| 5114 } |
| 5115 |
| 5116 /* |
| 5117 * The first 5 parameters match the definition of CERT_GetOCSPStatusForCertID. |
| 5118 */ |
| 5119 SECStatus cert_ProcessOCSPResponse(CERTCertDBHandle *handle, |
| 5120 CERTOCSPResponse *response, |
| 5121 CERTOCSPCertID *certID, |
| 5122 CERTCertificate *signerCert, PRTime time, |
| 5123 PRBool *certIDWasConsumed, |
| 5124 SECStatus *cacheUpdateStatus) { |
| 5125 SECStatus rv; |
| 5126 SECStatus rv_cache = SECSuccess; |
| 5127 CERTOCSPSingleResponse *single = NULL; |
| 5128 |
| 5129 rv = ocsp_GetVerifiedSingleResponseForCertID(handle, response, certID, |
| 5130 signerCert, time, &single); |
| 5131 if (rv == SECSuccess) { |
| 5132 /* |
| 5133 * Check whether the status says revoked, and if so |
| 5134 * how that compares to the time value passed into this routine. |
| 5135 */ |
| 5136 rv = ocsp_SingleResponseCertHasGoodStatus(single, time); |
| 5137 } |
| 5138 |
| 5139 if (certIDWasConsumed) { |
| 5140 /* |
| 5141 * We don't have copy-of-certid implemented. In order to update |
| 5142 * the cache, the caller must supply an out variable |
| 5143 * certIDWasConsumed, allowing us to return ownership status. |
| 5144 */ |
| 5145 |
| 5146 PR_EnterMonitor(OCSP_Global.monitor); |
| 5147 if (OCSP_Global.maxCacheEntries >= 0) { |
| 5148 /* single == NULL means: remember response failure */ |
| 5149 rv_cache = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, |
| 5150 single, certIDWasConsumed); |
| 5151 } |
| 5152 PR_ExitMonitor(OCSP_Global.monitor); |
| 5153 if (cacheUpdateStatus) { |
| 5154 *cacheUpdateStatus = rv_cache; |
| 5155 } |
| 5156 } |
| 5157 |
| 5158 return rv; |
| 5159 } |
| 5160 |
| 5161 SECStatus cert_RememberOCSPProcessingFailure(CERTOCSPCertID *certID, |
| 5162 PRBool *certIDWasConsumed) { |
| 5163 SECStatus rv = SECSuccess; |
| 5164 PR_EnterMonitor(OCSP_Global.monitor); |
| 5165 if (OCSP_Global.maxCacheEntries >= 0) { |
| 5166 rv = ocsp_CreateOrUpdateCacheEntry(&OCSP_Global.cache, certID, NULL, |
| 5167 certIDWasConsumed); |
| 5168 } |
| 5169 PR_ExitMonitor(OCSP_Global.monitor); |
| 5170 return rv; |
5685 } | 5171 } |
5686 | 5172 |
5687 /* | 5173 /* |
5688 * Disable status checking and destroy related structures/data. | 5174 * Disable status checking and destroy related structures/data. |
5689 */ | 5175 */ |
5690 static SECStatus | 5176 static SECStatus ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig) { |
5691 ocsp_DestroyStatusChecking(CERTStatusConfig *statusConfig) | 5177 ocspCheckingContext *statusContext; |
5692 { | 5178 |
5693 ocspCheckingContext *statusContext; | 5179 /* |
5694 | 5180 * Disable OCSP checking |
5695 /* | 5181 */ |
5696 * Disable OCSP checking | 5182 statusConfig->statusChecker = NULL; |
5697 */ | 5183 |
5698 statusConfig->statusChecker = NULL; | 5184 statusContext = statusConfig->statusContext; |
5699 | 5185 PORT_Assert(statusContext != NULL); |
5700 statusContext = statusConfig->statusContext; | 5186 if (statusContext == NULL) return SECFailure; |
5701 PORT_Assert(statusContext != NULL); | 5187 |
5702 if (statusContext == NULL) | 5188 if (statusContext->defaultResponderURI != NULL) |
5703 » return SECFailure; | 5189 PORT_Free(statusContext->defaultResponderURI); |
5704 | 5190 if (statusContext->defaultResponderNickname != NULL) |
5705 if (statusContext->defaultResponderURI != NULL) | 5191 PORT_Free(statusContext->defaultResponderNickname); |
5706 » PORT_Free(statusContext->defaultResponderURI); | 5192 |
5707 if (statusContext->defaultResponderNickname != NULL) | 5193 PORT_Free(statusContext); |
5708 » PORT_Free(statusContext->defaultResponderNickname); | 5194 statusConfig->statusContext = NULL; |
5709 | 5195 |
5710 PORT_Free(statusContext); | 5196 PORT_Free(statusConfig); |
5711 statusConfig->statusContext = NULL; | 5197 |
5712 | 5198 return SECSuccess; |
5713 PORT_Free(statusConfig); | 5199 } |
5714 | |
5715 return SECSuccess; | |
5716 } | |
5717 | |
5718 | 5200 |
5719 /* | 5201 /* |
5720 * FUNCTION: CERT_DisableOCSPChecking | 5202 * FUNCTION: CERT_DisableOCSPChecking |
5721 * Turns off OCSP checking for the given certificate database. | 5203 * Turns off OCSP checking for the given certificate database. |
5722 * This routine disables OCSP checking. Though it will return | 5204 * This routine disables OCSP checking. Though it will return |
5723 * SECFailure if OCSP checking is not enabled, it is "safe" to | 5205 * SECFailure if OCSP checking is not enabled, it is "safe" to |
5724 * call it that way and just ignore the return value, if it is | 5206 * call it that way and just ignore the return value, if it is |
5725 * easier to just call it than to "remember" whether it is enabled. | 5207 * easier to just call it than to "remember" whether it is enabled. |
5726 * INPUTS: | 5208 * INPUTS: |
5727 * CERTCertDBHandle *handle | 5209 * CERTCertDBHandle *handle |
5728 * Certificate database for which OCSP checking will be disabled. | 5210 * Certificate database for which OCSP checking will be disabled. |
5729 * RETURN: | 5211 * RETURN: |
5730 * Returns SECFailure if an error occurred (usually means that OCSP | 5212 * Returns SECFailure if an error occurred (usually means that OCSP |
5731 * checking was not enabled or status contexts were not initialized -- | 5213 * checking was not enabled or status contexts were not initialized -- |
5732 * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. | 5214 * error set will be SEC_ERROR_OCSP_NOT_ENABLED); SECSuccess otherwise. |
5733 */ | 5215 */ |
5734 SECStatus | 5216 SECStatus CERT_DisableOCSPChecking(CERTCertDBHandle *handle) { |
5735 CERT_DisableOCSPChecking(CERTCertDBHandle *handle) | 5217 CERTStatusConfig *statusConfig; |
5736 { | 5218 ocspCheckingContext *statusContext; |
5737 CERTStatusConfig *statusConfig; | 5219 |
5738 ocspCheckingContext *statusContext; | 5220 if (handle == NULL) { |
5739 | 5221 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
5740 if (handle == NULL) { | 5222 return SECFailure; |
5741 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 5223 } |
5742 » return SECFailure; | 5224 |
5743 } | 5225 statusConfig = CERT_GetStatusConfig(handle); |
5744 | 5226 statusContext = ocsp_GetCheckingContext(handle); |
5745 statusConfig = CERT_GetStatusConfig(handle); | 5227 if (statusContext == NULL) return SECFailure; |
5746 statusContext = ocsp_GetCheckingContext(handle); | 5228 |
5747 if (statusContext == NULL) | 5229 if (statusConfig->statusChecker != CERT_CheckOCSPStatus) { |
5748 » return SECFailure; | |
5749 | |
5750 if (statusConfig->statusChecker != CERT_CheckOCSPStatus) { | |
5751 » /* | |
5752 » * Status configuration is present, but either not currently | |
5753 » * enabled or not for OCSP. | |
5754 » */ | |
5755 » PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); | |
5756 » return SECFailure; | |
5757 } | |
5758 | |
5759 /* cache no longer necessary */ | |
5760 CERT_ClearOCSPCache(); | |
5761 | |
5762 /* | 5230 /* |
5763 * This is how we disable status checking. Everything else remains | 5231 * Status configuration is present, but either not currently |
5764 * in place in case we are enabled again. | 5232 * enabled or not for OCSP. |
5765 */ | 5233 */ |
5766 statusConfig->statusChecker = NULL; | 5234 PORT_SetError(SEC_ERROR_OCSP_NOT_ENABLED); |
5767 | 5235 return SECFailure; |
5768 return SECSuccess; | 5236 } |
| 5237 |
| 5238 /* cache no longer necessary */ |
| 5239 CERT_ClearOCSPCache(); |
| 5240 |
| 5241 /* |
| 5242 * This is how we disable status checking. Everything else remains |
| 5243 * in place in case we are enabled again. |
| 5244 */ |
| 5245 statusConfig->statusChecker = NULL; |
| 5246 |
| 5247 return SECSuccess; |
5769 } | 5248 } |
5770 | 5249 |
5771 /* | 5250 /* |
5772 * Allocate and initialize the informational structures for status checking. | 5251 * Allocate and initialize the informational structures for status checking. |
5773 * This is done when some configuration of OCSP is being done or when OCSP | 5252 * This is done when some configuration of OCSP is being done or when OCSP |
5774 * checking is being turned on, whichever comes first. | 5253 * checking is being turned on, whichever comes first. |
5775 */ | 5254 */ |
5776 static SECStatus | 5255 static SECStatus ocsp_InitStatusChecking(CERTCertDBHandle *handle) { |
5777 ocsp_InitStatusChecking(CERTCertDBHandle *handle) | 5256 CERTStatusConfig *statusConfig = NULL; |
5778 { | 5257 ocspCheckingContext *statusContext = NULL; |
5779 CERTStatusConfig *statusConfig = NULL; | 5258 |
5780 ocspCheckingContext *statusContext = NULL; | 5259 PORT_Assert(CERT_GetStatusConfig(handle) == NULL); |
5781 | 5260 if (CERT_GetStatusConfig(handle) != NULL) { |
5782 PORT_Assert(CERT_GetStatusConfig(handle) == NULL); | 5261 /* XXX or call statusConfig->statusDestroy and continue? */ |
5783 if (CERT_GetStatusConfig(handle) != NULL) { | 5262 return SECFailure; |
5784 » /* XXX or call statusConfig->statusDestroy and continue? */ | 5263 } |
5785 » return SECFailure; | 5264 |
5786 } | 5265 statusConfig = PORT_ZNew(CERTStatusConfig); |
5787 | 5266 if (statusConfig == NULL) goto loser; |
5788 statusConfig = PORT_ZNew(CERTStatusConfig); | 5267 |
5789 if (statusConfig == NULL) | 5268 statusContext = PORT_ZNew(ocspCheckingContext); |
5790 » goto loser; | 5269 if (statusContext == NULL) goto loser; |
5791 | 5270 |
5792 statusContext = PORT_ZNew(ocspCheckingContext); | 5271 statusConfig->statusDestroy = ocsp_DestroyStatusChecking; |
5793 if (statusContext == NULL) | 5272 statusConfig->statusContext = statusContext; |
5794 » goto loser; | 5273 |
5795 | 5274 CERT_SetStatusConfig(handle, statusConfig); |
5796 statusConfig->statusDestroy = ocsp_DestroyStatusChecking; | 5275 |
5797 statusConfig->statusContext = statusContext; | 5276 return SECSuccess; |
5798 | |
5799 CERT_SetStatusConfig(handle, statusConfig); | |
5800 | |
5801 return SECSuccess; | |
5802 | 5277 |
5803 loser: | 5278 loser: |
5804 if (statusConfig != NULL) | 5279 if (statusConfig != NULL) PORT_Free(statusConfig); |
5805 » PORT_Free(statusConfig); | 5280 return SECFailure; |
5806 return SECFailure; | 5281 } |
5807 } | |
5808 | |
5809 | 5282 |
5810 /* | 5283 /* |
5811 * FUNCTION: CERT_EnableOCSPChecking | 5284 * FUNCTION: CERT_EnableOCSPChecking |
5812 * Turns on OCSP checking for the given certificate database. | 5285 * Turns on OCSP checking for the given certificate database. |
5813 * INPUTS: | 5286 * INPUTS: |
5814 * CERTCertDBHandle *handle | 5287 * CERTCertDBHandle *handle |
5815 * Certificate database for which OCSP checking will be enabled. | 5288 * Certificate database for which OCSP checking will be enabled. |
5816 * RETURN: | 5289 * RETURN: |
5817 * Returns SECFailure if an error occurred (likely only problem | 5290 * Returns SECFailure if an error occurred (likely only problem |
5818 * allocating memory); SECSuccess otherwise. | 5291 * allocating memory); SECSuccess otherwise. |
5819 */ | 5292 */ |
5820 SECStatus | 5293 SECStatus CERT_EnableOCSPChecking(CERTCertDBHandle *handle) { |
5821 CERT_EnableOCSPChecking(CERTCertDBHandle *handle) | 5294 CERTStatusConfig *statusConfig; |
5822 { | 5295 |
5823 CERTStatusConfig *statusConfig; | 5296 SECStatus rv; |
5824 ···· | 5297 |
5825 SECStatus rv; | 5298 if (handle == NULL) { |
5826 | 5299 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
5827 if (handle == NULL) { | 5300 return SECFailure; |
5828 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 5301 } |
5829 » return SECFailure; | 5302 |
5830 } | 5303 statusConfig = CERT_GetStatusConfig(handle); |
5831 | 5304 if (statusConfig == NULL) { |
| 5305 rv = ocsp_InitStatusChecking(handle); |
| 5306 if (rv != SECSuccess) return rv; |
| 5307 |
| 5308 /* Get newly established value */ |
5832 statusConfig = CERT_GetStatusConfig(handle); | 5309 statusConfig = CERT_GetStatusConfig(handle); |
5833 if (statusConfig == NULL) { | 5310 PORT_Assert(statusConfig != NULL); |
5834 » rv = ocsp_InitStatusChecking(handle); | 5311 } |
5835 » if (rv != SECSuccess) | 5312 |
5836 » return rv; | 5313 /* |
5837 | 5314 * Setting the checker function is what really enables the checking |
5838 » /* Get newly established value */ | 5315 * when each cert verification is done. |
5839 » statusConfig = CERT_GetStatusConfig(handle); | 5316 */ |
5840 » PORT_Assert(statusConfig != NULL); | 5317 statusConfig->statusChecker = CERT_CheckOCSPStatus; |
5841 } | 5318 |
5842 | 5319 return SECSuccess; |
5843 /* | 5320 } |
5844 * Setting the checker function is what really enables the checking | |
5845 * when each cert verification is done. | |
5846 */ | |
5847 statusConfig->statusChecker = CERT_CheckOCSPStatus; | |
5848 | |
5849 return SECSuccess; | |
5850 } | |
5851 | |
5852 | 5321 |
5853 /* | 5322 /* |
5854 * FUNCTION: CERT_SetOCSPDefaultResponder | 5323 * FUNCTION: CERT_SetOCSPDefaultResponder |
5855 * Specify the location and cert of the default responder. | 5324 * Specify the location and cert of the default responder. |
5856 * If OCSP checking is already enabled *and* use of a default responder | 5325 * If OCSP checking is already enabled *and* use of a default responder |
5857 * is also already enabled, all OCSP checking from now on will go directly | 5326 * is also already enabled, all OCSP checking from now on will go directly |
5858 * to the specified responder. If OCSP checking is not enabled, or if | 5327 * to the specified responder. If OCSP checking is not enabled, or if |
5859 * it is but use of a default responder is not enabled, the information | 5328 * it is but use of a default responder is not enabled, the information |
5860 * will be recorded and take effect whenever both are enabled. | 5329 * will be recorded and take effect whenever both are enabled. |
5861 * INPUTS: | 5330 * INPUTS: |
5862 * CERTCertDBHandle *handle | 5331 * CERTCertDBHandle *handle |
5863 * Cert database on which OCSP checking should use the default responder. | 5332 * Cert database on which OCSP checking should use the default responder. |
5864 * char *url | 5333 * char *url |
5865 * The location of the default responder (e.g. "http://foo.com:80/ocsp") | 5334 * The location of the default responder (e.g. "http://foo.com:80/ocsp") |
5866 * Note that the location will not be tested until the first attempt | 5335 * Note that the location will not be tested until the first attempt |
5867 * to send a request there. | 5336 * to send a request there. |
5868 * char *name | 5337 * char *name |
5869 * The nickname of the cert to trust (expected) to sign the OCSP responses. | 5338 * The nickname of the cert to trust (expected) to sign the OCSP responses. |
5870 * If the corresponding cert cannot be found, SECFailure is returned. | 5339 * If the corresponding cert cannot be found, SECFailure is returned. |
5871 * RETURN: | 5340 * RETURN: |
5872 * Returns SECFailure if an error occurred; SECSuccess otherwise. | 5341 * Returns SECFailure if an error occurred; SECSuccess otherwise. |
5873 * The most likely error is that the cert for "name" could not be found | 5342 * The most likely error is that the cert for "name" could not be found |
5874 * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, | 5343 * (probably SEC_ERROR_UNKNOWN_CERT). Other errors are low-level (no memory, |
5875 * bad database, etc.). | 5344 * bad database, etc.). |
5876 */ | 5345 */ |
5877 SECStatus | 5346 SECStatus CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, |
5878 CERT_SetOCSPDefaultResponder(CERTCertDBHandle *handle, | 5347 const char *url, const char *name) { |
5879 » » » const char *url, const char *name) | 5348 CERTCertificate *cert; |
5880 { | 5349 ocspCheckingContext *statusContext; |
5881 CERTCertificate *cert; | 5350 char *url_copy = NULL; |
5882 ocspCheckingContext *statusContext; | 5351 char *name_copy = NULL; |
5883 char *url_copy = NULL; | 5352 SECStatus rv; |
5884 char *name_copy = NULL; | |
5885 SECStatus rv; | |
5886 | 5353 |
5887 if (handle == NULL || url == NULL || name == NULL) { | 5354 if (handle == NULL || url == NULL || name == NULL) { |
5888 » /* | 5355 /* |
5889 » * XXX When interface is exported, probably want better errors; | 5356 * XXX When interface is exported, probably want better errors; |
5890 » * perhaps different one for each parameter. | 5357 * perhaps different one for each parameter. |
5891 » */ | 5358 */ |
5892 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 5359 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
5893 » return SECFailure; | 5360 return SECFailure; |
5894 } | 5361 } |
5895 | 5362 |
| 5363 /* |
| 5364 * Find the certificate for the specified nickname. Do this first |
| 5365 * because it seems the most likely to fail. |
| 5366 * |
| 5367 * XXX Shouldn't need that cast if the FindCertByNickname interface |
| 5368 * used const to convey that it does not modify the name. Maybe someday. |
| 5369 */ |
| 5370 cert = CERT_FindCertByNickname(handle, (char *)name); |
| 5371 if (cert == NULL) { |
5896 /* | 5372 /* |
5897 * Find the certificate for the specified nickname. Do this first | 5373 * look for the cert on an external token. |
5898 * because it seems the most likely to fail. | |
5899 * | |
5900 * XXX Shouldn't need that cast if the FindCertByNickname interface | |
5901 * used const to convey that it does not modify the name. Maybe someday. | |
5902 */ | 5374 */ |
5903 cert = CERT_FindCertByNickname(handle, (char *) name); | 5375 cert = PK11_FindCertFromNickname((char *)name, NULL); |
5904 if (cert == NULL) { | 5376 } |
5905 /* | 5377 if (cert == NULL) return SECFailure; |
5906 * look for the cert on an external token. | |
5907 */ | |
5908 cert = PK11_FindCertFromNickname((char *)name, NULL); | |
5909 } | |
5910 if (cert == NULL) | |
5911 » return SECFailure; | |
5912 | 5378 |
5913 /* | 5379 /* |
5914 * Make a copy of the url and nickname. | 5380 * Make a copy of the url and nickname. |
5915 */ | 5381 */ |
5916 url_copy = PORT_Strdup(url); | 5382 url_copy = PORT_Strdup(url); |
5917 name_copy = PORT_Strdup(name); | 5383 name_copy = PORT_Strdup(name); |
5918 if (url_copy == NULL || name_copy == NULL) { | 5384 if (url_copy == NULL || name_copy == NULL) { |
5919 » rv = SECFailure; | 5385 rv = SECFailure; |
5920 » goto loser; | 5386 goto loser; |
5921 } | 5387 } |
| 5388 |
| 5389 statusContext = ocsp_GetCheckingContext(handle); |
| 5390 |
| 5391 /* |
| 5392 * Allocate and init the context if it doesn't already exist. |
| 5393 */ |
| 5394 if (statusContext == NULL) { |
| 5395 rv = ocsp_InitStatusChecking(handle); |
| 5396 if (rv != SECSuccess) goto loser; |
5922 | 5397 |
5923 statusContext = ocsp_GetCheckingContext(handle); | 5398 statusContext = ocsp_GetCheckingContext(handle); |
| 5399 PORT_Assert(statusContext != NULL); /* extreme paranoia */ |
| 5400 } |
5924 | 5401 |
5925 /* | 5402 /* |
5926 * Allocate and init the context if it doesn't already exist. | 5403 * Note -- we do not touch the status context until after all of |
5927 */ | 5404 * the steps which could cause errors. If something goes wrong, |
5928 if (statusContext == NULL) { | 5405 * we want to leave things as they were. |
5929 » rv = ocsp_InitStatusChecking(handle); | 5406 */ |
5930 » if (rv != SECSuccess) | |
5931 » goto loser; | |
5932 | 5407 |
5933 » statusContext = ocsp_GetCheckingContext(handle); | 5408 /* |
5934 » PORT_Assert(statusContext != NULL);» /* extreme paranoia */ | 5409 * Get rid of old url and name if there. |
5935 } | 5410 */ |
| 5411 if (statusContext->defaultResponderNickname != NULL) |
| 5412 PORT_Free(statusContext->defaultResponderNickname); |
| 5413 if (statusContext->defaultResponderURI != NULL) |
| 5414 PORT_Free(statusContext->defaultResponderURI); |
5936 | 5415 |
5937 /* | 5416 /* |
5938 * Note -- we do not touch the status context until after all of | 5417 * And replace them with the new ones. |
5939 * the steps which could cause errors. If something goes wrong, | 5418 */ |
5940 * we want to leave things as they were. | 5419 statusContext->defaultResponderURI = url_copy; |
5941 */ | 5420 statusContext->defaultResponderNickname = name_copy; |
5942 | 5421 |
5943 /* | 5422 /* |
5944 * Get rid of old url and name if there. | 5423 * If there was already a cert in place, get rid of it and replace it. |
5945 */ | 5424 * Otherwise, we are not currently enabled, so we don't want to save it; |
5946 if (statusContext->defaultResponderNickname != NULL) | 5425 * it will get re-found and set whenever use of a default responder is |
5947 » PORT_Free(statusContext->defaultResponderNickname); | 5426 * enabled. |
5948 if (statusContext->defaultResponderURI != NULL) | 5427 */ |
5949 » PORT_Free(statusContext->defaultResponderURI); | 5428 if (statusContext->defaultResponderCert != NULL) { |
| 5429 CERT_DestroyCertificate(statusContext->defaultResponderCert); |
| 5430 statusContext->defaultResponderCert = cert; |
| 5431 /*OCSP enabled, switching responder: clear cache*/ |
| 5432 CERT_ClearOCSPCache(); |
| 5433 } else { |
| 5434 PORT_Assert(statusContext->useDefaultResponder == PR_FALSE); |
| 5435 CERT_DestroyCertificate(cert); |
| 5436 /*OCSP currently not enabled, no need to clear cache*/ |
| 5437 } |
5950 | 5438 |
5951 /* | 5439 return SECSuccess; |
5952 * And replace them with the new ones. | |
5953 */ | |
5954 statusContext->defaultResponderURI = url_copy; | |
5955 statusContext->defaultResponderNickname = name_copy; | |
5956 | |
5957 /* | |
5958 * If there was already a cert in place, get rid of it and replace it. | |
5959 * Otherwise, we are not currently enabled, so we don't want to save it; | |
5960 * it will get re-found and set whenever use of a default responder is | |
5961 * enabled. | |
5962 */ | |
5963 if (statusContext->defaultResponderCert != NULL) { | |
5964 » CERT_DestroyCertificate(statusContext->defaultResponderCert); | |
5965 » statusContext->defaultResponderCert = cert; | |
5966 /*OCSP enabled, switching responder: clear cache*/ | |
5967 CERT_ClearOCSPCache(); | |
5968 } else { | |
5969 » PORT_Assert(statusContext->useDefaultResponder == PR_FALSE); | |
5970 » CERT_DestroyCertificate(cert); | |
5971 /*OCSP currently not enabled, no need to clear cache*/ | |
5972 } | |
5973 | |
5974 return SECSuccess; | |
5975 | 5440 |
5976 loser: | 5441 loser: |
5977 CERT_DestroyCertificate(cert); | 5442 CERT_DestroyCertificate(cert); |
5978 if (url_copy != NULL) | 5443 if (url_copy != NULL) PORT_Free(url_copy); |
5979 » PORT_Free(url_copy); | 5444 if (name_copy != NULL) PORT_Free(name_copy); |
5980 if (name_copy != NULL) | 5445 return rv; |
5981 » PORT_Free(name_copy); | |
5982 return rv; | |
5983 } | 5446 } |
5984 | 5447 |
5985 | |
5986 /* | 5448 /* |
5987 * FUNCTION: CERT_EnableOCSPDefaultResponder | 5449 * FUNCTION: CERT_EnableOCSPDefaultResponder |
5988 * Turns on use of a default responder when OCSP checking. | 5450 * Turns on use of a default responder when OCSP checking. |
5989 * If OCSP checking is already enabled, this will make subsequent checks | 5451 * If OCSP checking is already enabled, this will make subsequent checks |
5990 * go directly to the default responder. (The location of the responder | 5452 * go directly to the default responder. (The location of the responder |
5991 * and the nickname of the responder cert must already be specified.) | 5453 * and the nickname of the responder cert must already be specified.) |
5992 * If OCSP checking is not enabled, this will be recorded and take effect | 5454 * If OCSP checking is not enabled, this will be recorded and take effect |
5993 * whenever it is enabled. | 5455 * whenever it is enabled. |
5994 * INPUTS: | 5456 * INPUTS: |
5995 * CERTCertDBHandle *handle | 5457 * CERTCertDBHandle *handle |
5996 * Cert database on which OCSP checking should use the default responder. | 5458 * Cert database on which OCSP checking should use the default responder. |
5997 * RETURN: | 5459 * RETURN: |
5998 * Returns SECFailure if an error occurred; SECSuccess otherwise. | 5460 * Returns SECFailure if an error occurred; SECSuccess otherwise. |
5999 * No errors are especially likely unless the caller did not previously | 5461 * No errors are especially likely unless the caller did not previously |
6000 * perform a successful call to SetOCSPDefaultResponder (in which case | 5462 * perform a successful call to SetOCSPDefaultResponder (in which case |
6001 * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). | 5463 * the error set will be SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER). |
6002 */ | 5464 */ |
6003 SECStatus | 5465 SECStatus CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) { |
6004 CERT_EnableOCSPDefaultResponder(CERTCertDBHandle *handle) | 5466 ocspCheckingContext *statusContext; |
6005 { | 5467 CERTCertificate *cert; |
6006 ocspCheckingContext *statusContext; | 5468 SECStatus rv; |
6007 CERTCertificate *cert; | 5469 SECCertificateUsage usage; |
6008 SECStatus rv; | |
6009 SECCertificateUsage usage; | |
6010 | 5470 |
6011 if (handle == NULL) { | 5471 if (handle == NULL) { |
6012 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 5472 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
6013 » return SECFailure; | 5473 return SECFailure; |
6014 } | 5474 } |
6015 | 5475 |
6016 statusContext = ocsp_GetCheckingContext(handle); | 5476 statusContext = ocsp_GetCheckingContext(handle); |
6017 | 5477 |
6018 if (statusContext == NULL) { | 5478 if (statusContext == NULL) { |
6019 » /* | 5479 /* |
6020 » * Strictly speaking, the error already set is "correct", | 5480 * Strictly speaking, the error already set is "correct", |
6021 » * but cover over it with one more helpful in this context. | 5481 * but cover over it with one more helpful in this context. |
6022 » */ | 5482 */ |
6023 » PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | 5483 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); |
6024 » return SECFailure; | 5484 return SECFailure; |
6025 } | 5485 } |
6026 | 5486 |
6027 if (statusContext->defaultResponderURI == NULL) { | 5487 if (statusContext->defaultResponderURI == NULL) { |
6028 » PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | 5488 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); |
6029 » return SECFailure; | 5489 return SECFailure; |
6030 } | 5490 } |
6031 | 5491 |
6032 if (statusContext->defaultResponderNickname == NULL) { | 5492 if (statusContext->defaultResponderNickname == NULL) { |
6033 » PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); | 5493 PORT_SetError(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER); |
6034 » return SECFailure; | 5494 return SECFailure; |
6035 } | 5495 } |
6036 | 5496 |
6037 /* | 5497 /* |
6038 * Find the cert for the nickname. | 5498 * Find the cert for the nickname. |
6039 */ | 5499 */ |
6040 cert = CERT_FindCertByNickname(handle, | 5500 cert = |
6041 » » » » statusContext->defaultResponderNickname); | 5501 CERT_FindCertByNickname(handle, statusContext->defaultResponderNickname); |
6042 if (cert == NULL) { | 5502 if (cert == NULL) { |
6043 cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname
, | 5503 cert = PK11_FindCertFromNickname(statusContext->defaultResponderNickname, |
6044 NULL); | 5504 NULL); |
6045 } | 5505 } |
6046 /* | 5506 /* |
6047 * We should never have trouble finding the cert, because its | 5507 * We should never have trouble finding the cert, because its |
6048 * existence should have been proven by SetOCSPDefaultResponder. | 5508 * existence should have been proven by SetOCSPDefaultResponder. |
6049 */ | 5509 */ |
6050 PORT_Assert(cert != NULL); | 5510 PORT_Assert(cert != NULL); |
6051 if (cert == NULL) | 5511 if (cert == NULL) return SECFailure; |
6052 » return SECFailure; | |
6053 | 5512 |
6054 /* | 5513 /* |
6055 * Supplied cert should at least have a signing capability in order for us | 5514 * Supplied cert should at least have a signing capability in order for us |
6056 * to use it as a trusted responder cert. Ability to sign is guaranteed if | 5515 * to use it as a trusted responder cert. Ability to sign is guaranteed if |
6057 * cert is validated to have any set of the usages below. | 5516 * cert is validated to have any set of the usages below. |
6058 */ | 5517 */ |
6059 rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, | 5518 rv = CERT_VerifyCertificateNow(handle, cert, PR_TRUE, |
6060 certificateUsageCheckAllUsages, | 5519 certificateUsageCheckAllUsages, NULL, &usage); |
6061 NULL, &usage); | 5520 if (rv != SECSuccess || |
6062 if (rv != SECSuccess || (usage & (certificateUsageSSLClient | | 5521 (usage & (certificateUsageSSLClient | certificateUsageSSLServer | |
6063 certificateUsageSSLServer | | 5522 certificateUsageSSLServerWithStepUp | |
6064 certificateUsageSSLServerWithStepUp | | 5523 certificateUsageEmailSigner | certificateUsageObjectSigner | |
6065 certificateUsageEmailSigner | | 5524 certificateUsageStatusResponder | certificateUsageSSLCA)) == |
6066 certificateUsageObjectSigner | | 5525 0) { |
6067 certificateUsageStatusResponder | | 5526 PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID); |
6068 certificateUsageSSLCA)) == 0) { | 5527 return SECFailure; |
6069 » PORT_SetError(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID); | 5528 } |
6070 » return SECFailure; | |
6071 } | |
6072 | 5529 |
6073 /* | 5530 /* |
6074 * And hang onto it. | 5531 * And hang onto it. |
6075 */ | 5532 */ |
6076 statusContext->defaultResponderCert = cert; | 5533 statusContext->defaultResponderCert = cert; |
6077 | 5534 |
6078 /* we don't allow a mix of cache entries from different responders */ | 5535 /* we don't allow a mix of cache entries from different responders */ |
6079 CERT_ClearOCSPCache(); | 5536 CERT_ClearOCSPCache(); |
6080 | 5537 |
6081 /* | 5538 /* |
6082 * Finally, record the fact that we now have a default responder enabled. | 5539 * Finally, record the fact that we now have a default responder enabled. |
6083 */ | 5540 */ |
6084 statusContext->useDefaultResponder = PR_TRUE; | 5541 statusContext->useDefaultResponder = PR_TRUE; |
6085 return SECSuccess; | 5542 return SECSuccess; |
6086 } | 5543 } |
6087 | 5544 |
6088 | |
6089 /* | 5545 /* |
6090 * FUNCTION: CERT_DisableOCSPDefaultResponder | 5546 * FUNCTION: CERT_DisableOCSPDefaultResponder |
6091 * Turns off use of a default responder when OCSP checking. | 5547 * Turns off use of a default responder when OCSP checking. |
6092 * (Does nothing if use of a default responder is not enabled.) | 5548 * (Does nothing if use of a default responder is not enabled.) |
6093 * INPUTS: | 5549 * INPUTS: |
6094 * CERTCertDBHandle *handle | 5550 * CERTCertDBHandle *handle |
6095 * Cert database on which OCSP checking should stop using a default | 5551 * Cert database on which OCSP checking should stop using a default |
6096 * responder. | 5552 * responder. |
6097 * RETURN: | 5553 * RETURN: |
6098 * Returns SECFailure if an error occurred; SECSuccess otherwise. | 5554 * Returns SECFailure if an error occurred; SECSuccess otherwise. |
6099 * Errors very unlikely (like random memory corruption...). | 5555 * Errors very unlikely (like random memory corruption...). |
6100 */ | 5556 */ |
6101 SECStatus | 5557 SECStatus CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle) { |
6102 CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle) | 5558 CERTStatusConfig *statusConfig; |
6103 { | 5559 ocspCheckingContext *statusContext; |
6104 CERTStatusConfig *statusConfig; | 5560 CERTCertificate *tmpCert; |
6105 ocspCheckingContext *statusContext; | |
6106 CERTCertificate *tmpCert; | |
6107 | 5561 |
6108 if (handle == NULL) { | 5562 if (handle == NULL) { |
6109 » PORT_SetError(SEC_ERROR_INVALID_ARGS); | 5563 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
6110 » return SECFailure; | 5564 return SECFailure; |
6111 } | 5565 } |
6112 | 5566 |
6113 statusConfig = CERT_GetStatusConfig(handle); | 5567 statusConfig = CERT_GetStatusConfig(handle); |
6114 if (statusConfig == NULL) | 5568 if (statusConfig == NULL) return SECSuccess; |
6115 » return SECSuccess; | |
6116 | 5569 |
6117 statusContext = ocsp_GetCheckingContext(handle); | 5570 statusContext = ocsp_GetCheckingContext(handle); |
6118 PORT_Assert(statusContext != NULL); | 5571 PORT_Assert(statusContext != NULL); |
6119 if (statusContext == NULL) | 5572 if (statusContext == NULL) return SECFailure; |
6120 » return SECFailure; | |
6121 | 5573 |
6122 tmpCert = statusContext->defaultResponderCert; | 5574 tmpCert = statusContext->defaultResponderCert; |
6123 if (tmpCert) { | 5575 if (tmpCert) { |
6124 » statusContext->defaultResponderCert = NULL; | 5576 statusContext->defaultResponderCert = NULL; |
6125 » CERT_DestroyCertificate(tmpCert); | 5577 CERT_DestroyCertificate(tmpCert); |
6126 /* we don't allow a mix of cache entries from different responders */ | 5578 /* we don't allow a mix of cache entries from different responders */ |
6127 CERT_ClearOCSPCache(); | 5579 CERT_ClearOCSPCache(); |
6128 } | 5580 } |
6129 | 5581 |
6130 /* | 5582 /* |
6131 * Finally, record the fact. | 5583 * Finally, record the fact. |
6132 */ | 5584 */ |
6133 statusContext->useDefaultResponder = PR_FALSE; | 5585 statusContext->useDefaultResponder = PR_FALSE; |
6134 return SECSuccess; | 5586 return SECSuccess; |
6135 } | 5587 } |
6136 | 5588 |
6137 SECStatus | 5589 SECStatus CERT_ForcePostMethodForOCSP(PRBool forcePost) { |
6138 CERT_ForcePostMethodForOCSP(PRBool forcePost) | 5590 if (!OCSP_Global.monitor) { |
6139 { | 5591 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); |
6140 if (!OCSP_Global.monitor) { | 5592 return SECFailure; |
6141 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 5593 } |
6142 return SECFailure; | |
6143 } | |
6144 | 5594 |
6145 PR_EnterMonitor(OCSP_Global.monitor); | 5595 PR_EnterMonitor(OCSP_Global.monitor); |
6146 OCSP_Global.forcePost = forcePost; | 5596 OCSP_Global.forcePost = forcePost; |
6147 PR_ExitMonitor(OCSP_Global.monitor); | 5597 PR_ExitMonitor(OCSP_Global.monitor); |
6148 | 5598 |
6149 return SECSuccess; | 5599 return SECSuccess; |
6150 } | 5600 } |
6151 | 5601 |
6152 SECStatus | 5602 SECStatus CERT_GetOCSPResponseStatus(CERTOCSPResponse *response) { |
6153 CERT_GetOCSPResponseStatus(CERTOCSPResponse *response) | 5603 PORT_Assert(response); |
6154 { | 5604 if (response->statusValue == ocspResponse_successful) return SECSuccess; |
6155 PORT_Assert(response); | |
6156 if (response->statusValue == ocspResponse_successful) | |
6157 » return SECSuccess; | |
6158 | 5605 |
6159 switch (response->statusValue) { | 5606 switch (response->statusValue) { |
6160 case ocspResponse_malformedRequest: | 5607 case ocspResponse_malformedRequest: |
6161 » PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); | 5608 PORT_SetError(SEC_ERROR_OCSP_MALFORMED_REQUEST); |
6162 » break; | 5609 break; |
6163 case ocspResponse_internalError: | 5610 case ocspResponse_internalError: |
6164 » PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); | 5611 PORT_SetError(SEC_ERROR_OCSP_SERVER_ERROR); |
6165 » break; | 5612 break; |
6166 case ocspResponse_tryLater: | 5613 case ocspResponse_tryLater: |
6167 » PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER); | 5614 PORT_SetError(SEC_ERROR_OCSP_TRY_SERVER_LATER); |
6168 » break; | 5615 break; |
6169 case ocspResponse_sigRequired: | 5616 case ocspResponse_sigRequired: |
6170 » /* XXX We *should* retry with a signature, if possible. */ | 5617 /* XXX We *should* retry with a signature, if possible. */ |
6171 » PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG); | 5618 PORT_SetError(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG); |
6172 » break; | 5619 break; |
6173 case ocspResponse_unauthorized: | 5620 case ocspResponse_unauthorized: |
6174 » PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); | 5621 PORT_SetError(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST); |
6175 » break; | 5622 break; |
6176 case ocspResponse_unused: | 5623 case ocspResponse_unused: |
6177 default: | 5624 default: |
6178 » PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); | 5625 PORT_SetError(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS); |
6179 » break; | 5626 break; |
6180 } | 5627 } |
6181 return SECFailure; | 5628 return SECFailure; |
6182 } | 5629 } |
OLD | NEW |